Well I am sitting here recovering from what has been a intense first week of the 10-day CCIE R&S Bootcamp from the guys over at INE.
The course itself is nothing short of brilliant and I don’t think you can get a better course for your money on the market at the moment.
The first week was spent going over the core topics; switching, IGP’s, BGP, MPLS and MPLS VPN with the second week left for the smaller but for most people harder subjects such as multicast, PfR, QoS etc.
The bootcamp itself is quite a challenge as it runs from 9am every morning until 8pm most nights and once that is over there is some lab work that you can be doing to cement some of the things that have been taught on that day.
Brian really is an awesome guy and you can tell that he really knows what he is talking about, the bootcamp itself doesn’t have a single Powerpoint presentation or video, instead it is just Brian talking and drawing on a virtual whiteboard for 9 hours a day (along with some CLI work as well).
One of the things that has amazed me this week is that you may thing that you know a subject pretty well until Brian starts to go over it, he talks about every process that is ran when OSPF creates it database for instance and is able to talk you through every line in a particular show command so that you know exactly what is going on.
One of the most important thing that I think I have learned this week is that the CCIE exam is not just about memorising commands and typing them in as fast as you can on the lab day but instead is about a particular though process, thinking hard about what they are asking and then executing it in a clear and precise manner.
This weekend I’m having a weekend off from the studies as I have a friend coming down and we’re going to go see the sites of London but come Sunday night I am going to get back on the MPLS ‘homework’ and then back into some advanced MPLS stuff on Monday morning.
I recently had an issue where one of my Mac’s would not go to sleep whatever you tried.
I had checked that the energy saver settings were set to go to sleep after a specific amount of time.
I had also checked all the open apps to make sure they didn’t have an option to force the machine not to go to sleep but alas still nothing.
It turns out there is a little known command that can be used to check why your Mac isn’t sleeping, in my case it turned out to be Spotify that was open (not playing music, but was telling the system it was).
The command itself is pmset -g assertions
When you run that command it will show up whether you have any assertions currently keeping your system from sleep, you are looking for anything with PreventUserIdleSystemSleep in it.
It used to be something that couldn’t really be done on a Mac but I have just read through the documentation and it turns out that anything 10.6+ has the ability to automatically put an Airport card into monitor mode.
If you want to give this a go it is as simple as changing the framing mode when capturing on Wireshark, once you start capturing it will put the card into promiscuous mode and you will be able to see all traffic and not just the traffic to/from your machine.
Well tomorrow I’ll be jumping on a train down to London to take part in the INE 10-day CCIE bootcamp with Brian Dennis.
As part of my lab preparations I don’t think I could do any better than getting Brian himself to run me and a few others through our paces.
I’m sure it’ll be an intense 2 weeks however I will try and get a couple of posts written up at the same time.
I’m also trying to put together a ‘CCIE Wiki’ over at http://wiki.networkbroadcast.co.uk for anything that I don’t think warrants a post (or where I can’t be bothered writing it up as a post) so feel free to take a look.
Today I have been going through some more of the INE Vol2 labs and thought I would do a quick post on reflexive ACL’s.
Reflexive ACL’s can be used as a basic kind of ‘stateful’ table on devices to allow traffic back inbound on already established connections.
The reflective part of this feature can only be used on normal traffic flows where the inbound traffic is the same as the traffic that flowed outbound, this means it cannot be used for things like traceroute, VoIP (SIP) calls, FTP (active) and so special considerations should be used for this kind of traffic.
Reflexive ACL’s are configured as a pair and usually applied to the same interface, one in an inbound direction and one in the outbound direction.
To configure reflexive ACL’s we make use of a couple of new commands when creating extended access lists, below is a simple example of a reflexive ACL pair (inbound and outbound) –
R2(config)#ip access-list extended OUTBOUND
R2(config-ext-nacl)#permit tcp any any reflect STATEFUL
R2(config-ext-nacl)#permit udp any any reflect STATEFUL
R2(config-ext-nacl)#permit icmp any any reflect STATEFUL
R2(config-ext-nacl)#permit ip any any
R2(config)#ip access-list extended INBOUND
R2(config-ext-nacl)#evaluate STATEFUL # used to insert the reflected rules
R2(config-ext-nacl)#permit icmp any any ttl-exceeded # allows return traceroute traffic
R2(config-ext-nacl)#permit icmp any any port-unreachable # allows return traceroute traffic
R2(config-ext-nacl)#deny ip any any log # logs any denied traffic
R2(config-if)#ip access-group OUTBOUND out
R2(config-if)#ip access-group INBOUND in
As we can see the configuration is pretty simple, one important thing we need to remember though is to check that no traffic is being blocked that shouldn’t be (e.g. IGP traffic, non-standard traffic) so it is always important to know what traffic should be allowed through and put in explicit permit entries if needed. I have used an explicit deny at the end of the inbound ACL with the log option so that we can see any traffic that is being denied and add explicit permits if needed.
Once the ACL has been applied you can check counters just like any ACL using the ‘show ip access-list’ command, the only difference is that it will now show you the dynamic reflected ACL entries that will be used by the ‘evaluate’ statements.
R2#sh ip access-lists
Extended IP access list INBOUND
10 evaluate STATEFUL
20 permit icmp any any time-exceeded (3 matches)
30 permit icmp any any port-unreachable (2 matches)
40 deny ip any any log
Reflexive IP access list STATEFUL
permit icmp host 126.96.36.199 host 188.8.131.52 (10 matches) (time left 297)
Extended IP access list OUTBOUND
10 permit tcp any any reflect STATEFUL (12 matches)
20 permit udp any any reflect STATEFUL
30 permit icmp any any reflect STATEFUL (10 matches)
20 permit ip any any (11 matches)
Tonight I have made the plunge and booked a lab date to make my first attempt at the CCIE R&S lab over in Brussels.
Whilst it is still a way off at the moment I think this will be the best way for me to work, it gives me just under a couple of months before the payment due date, by which time I should know for sure if I am running ahead or behind of my schedule and adjust accordingly because once that 90-day barrier has been crossed there is no turning back.
Over the past couple of days I have reviewed the remainder of the INE Advanced Technology videos that I felt that I needed to brush up on.
I felt that before going onto the next stage that I needed to brush up on mostly some of the legacy QoS (FRTS included) and also the Catalyst QoS, I already felt pretty happy with it but as I don’t use it a whole lot day to day I felt it best to get it out of the way.
Starting tomorrow I am going to begin the Vol2 INE lab workbooks and go through them sequentially whilst also accompanying them with any Adv Tech or Vol1 scenarios as I see fit, hopefully as I get further through the 20 labs the use of the accompanying material should become less and less.
My only other material that I will be using for support is as per the lab in that I will be using the good old Doc-CD to try and get quicker at referencing some of the more obscure items that I could be quizzed on during the lab.
I’m hoping that if I start Lab 1 tomorrow night after work that it shouldn’t take me too long to work through it (working on 2-3 hours a night).
I’ll post on here afterwards with my thoughts on the experience, until then?
Back when I passed my CCIE written last year I had the momentum behind me and felt that I would be able to study for and take my first attempt at the lab in only a few months.
Since then I have realised more than ever how much of a full-time commitment the lab can very quickly become.
Between work and personal commitments it soon became all to easy to just put the lab studies on the back burner for another day however we all no that tomorrow never really comes…
I’ve said it before but now more than ever I want to knuckle down and get through the studies.
A few weeks ago I took advantage of an offer over at Cisco Press that allowed me to get my CCIE reference library stocked up for less than half the price it would usually have cost which has been a big help. For those wanting to know the books that I bought on the offer were:
Routing TCP/IP Volume I, Second Edition
Routing TCP/IP Volume II
Troubleshooting IP routing protocols
I already had the first title in PDF format that I have been working through but sometimes felt that it was better to have a hard copy as well.
One other factor that I think has been holding me back is that I made the decision to go through all the INE Volume 1 labs one at a time and working my way through, for me personally this hasn’t really worked, I think mostly because you find yourself going through things time and time again that you consider very basic and that don’t really challenge you.
I realise that in the lab it’s not all going to be mind boggling challenges and that there are going to be plenty of sections that require the same mundane tasks that I am berating however at this point I think the better path for myself would be to dive into the Volume 2 labs and then come back to any Volume 1 labs that I feel I need to brush up on.
If anyone else has some other tips on how to stop yourself from getting distracted then please let me know, sometimes I wonder if I have a mild case of ADD when it comes to these things.
Before christmas I started my way through the INE Vol1 advanced tech labs and got through the first couple of books, I think I was at RIP.
Unfortunately because of a temporary resource issue with the CCIE rack I have use of combined with christmas, work being hectic due to a new DC rollout and my January holiday over to the USA the studies got put to one side.
Since then I’ve moved out from my parents house (yes, get all the living with your parents jokes out of the way now) into my own place. It’s take a few weeks to get settled but its starting to feel a little more like home now.
Last week (Friday) I started the INE labs over from scratch, whilst I probably could have gotten away with starting where I left off I didn’t want to and I wasn’t really that far through anyway.
Being in a place of my own is actually pretty conducive to studying as there are only distractions that you create which is always a good thing.
Back to topic and the B&S Vol1 book was pretty good and the only things I had to look up was PPPoE, mainly just for a CLI refresher though.
Next up is Frame Relay which I hope to get out of the way by Wednesday and then its on to Routing.
I’m hoping to put in a couple of hours every night, or if I miss a night then I will double up on another etc.