Getting ready soon

hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□

I am down to just three classes at WGU and will finish 1 very soon, leaving just tech writing + capstone. The CCNP is logically next since I work as a Network Engineer, but don't really get to dive into the crazy depths yet. I used to think the CCNP was impossible to get to before I took the CCNA, so it's cool to be at this point.

Now, I was really planning on just reading the official book and taking notes, but I recall there being no actual labs in there. For example, I recall reading about DMVPNs. It would probably be good to have an actual lab to follow, but is it necessary or could I just go ahead and do it on my own? Curious to see what other people did.

I took awhile to do the CCNA since I wanted to learn it, so there's no rush to get this done. Obviously, the sooner I get it done the better, but there's no timeline like I said. I want to be genuinely great and it's been mentioned before here, but you do not get paid the big bucks because of a cert, you only get the opportunity. You still need to ace the interview, and be good at it. So, I just would like to see what has worked for other people in recent times. I used CBT nuggets for the CCNA, but unsure if I will again.

Does anyone actually read this T-Shoot book either? Or do people just go take it after doing the route and switch exams? Equipment is also no issue as I have anything and everything available to me at work, which is fantastic.

As for the CCNP Security, is that really necessary? Now, at my job we handle the firewalls - there is no separate team. I do not do much with them yet though. My boss claims the R&S is important, but did not stress the security exam. At the point of completing the R&S, I would either do the Security or go back to WGU for an MBA. There's value in both really, I'd love to have both. But maybe someone with a Sr. Network Engineer job can go into detail on their opinion.


  • SimridSimrid Member Posts: 327
    CCNP R&S will teach you the perfect network. You then stick a firewall in the middle and it breaks pings etc.

    I've heard CCNA:Sec isn't very ASA heavy and it teaches you the basics. If you want ASA related bits, that's in the NP:Sec. I think doing CCNP R&S would be a great place to start and then branch out imho
    Network Engineer | London, UK | Currently working on: CCIE Routing & Switching
  • MitechniqMitechniq Member Posts: 286 ■■■■□□□□□□
    I've been torn with this dilemma myself. However, I looked at several CCNP:SEC material and a lot of it makes the assumption you have a very good grasp on CCNP switching and routing protocols. As soon as I am done with VCP, I will be starting CCNP:RS and then move over to the SEC/DC stuff feeling confident I have the fundamentals down.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    I am definitely doing the NP R&S first, with me probably doing routing first. I don't personally know anyone with the NP:S but I know there are people here with it.

    The CCNP: R&S looks good. I actually look forward to doing it which I don't think I've ever said before about a certification lol. But now that I'm in the field, there's so much value to it because I know it's benefiting me now and in the future.
  • SimridSimrid Member Posts: 327
    Knowledge is power and all that.

    Seriously though, it'll be worth it. It's all good fun learning new material.
    Network Engineer | London, UK | Currently working on: CCIE Routing & Switching
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    WGU just accepted my capstone and now I finally have my BS (and an AS and AAS). CCNP starts tomorrow!
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    I've got a lab set up, and I'm read to go. I have 3 2811's all running the same IOS and a 3850 switch (fancy!). I've got all these in the lab at work running back to a PC via console cables (except 3850) and I can access everything by RDPing into the PC. I've got R1 connected to R2, R2 connected to R3 thru the 3850 on VLAN 100 and an SVI so I can daisy chain over to manage this switch remotely. Everything has loop back addresses which will be thrown into the routing protocols. Everything is cabled neatly and ready to go. I know with this set up I'll be able to do DMVPNs, route redistribution, and some other things. Should be good to go. I didn't take this from anywhere though and plan to just make up my own scenarios and go with the flow.
  • SegoviaSegovia Member Posts: 119
    Hey I can't really comment on the CCNP but I wanted to say congratulations!

    Was the capstone really difficult? I am not looking forward to it..

    Also your lab sounds great, wish I could get my hands on that gear!
    WGU BS - IT Security ... Enrollment Date 10/15 ... Progress 45/124 CU {36%}
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□

    I banged out the 35 page capstone in 3-4 days. It was not bad at all.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    So, the route book is 18 chapters. I had 1/3 of that many months ago but decided to restart completely. I banged out the first chapter today.

    I read that Cisco recommends you do not span a VLAN across more than one access layer switch. In reality, this has to never actually be put to practice - no? It recommends that you adrust the ARP timer to be less than the CAM aging time. Does this appear in the running config? I need to investigate.

    I don't even see these commands as being options in our network. Show arp timeout does not exist.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    I've been working on chapter 2, and am having trouble understanding how a Layer 2 MPLS VPN works and who actually uses them. Any ideas?
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Still on chapter 2, I built a GRE tunnel to see what was up. I was getting recursive routing issues, but the Sr. guy I work with pointed me in the right direction because he encountered it when building an iWan lab. I had the destination of the tunnels set to the tunnel IP address of the tunnels.

    Also, I was not going thru the tunnel From R1 to R3 but was in the reverse order. This was due to a static route I had to the tunnel address on R3 from R1. I find it interesting that a route is not needed, and assume it because the destination is set on the tunnel interface and there is a route to that in the routing table.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Been crazy busy but going to try to finish Chapter 2 today. I wish it was going faster, hopefully once the holidays pass it will. I did learn some things over the past couple of days though - like how we're using HSRP between two Layer 3 switches than run back to 1 router at branches, and how that affects egress traffic. EIGRP OSLs affect ingress traffic. Still a little confusing though!
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    I finished reading Chapter 2. DMVPN and NHRP configuration is apparently "beyond the scope" of the CCNP book and is a CCIE thing, but I got to talking with our boss. Our environment does not work properly and he wants me to build a DMVPN w/ NHRP & mGRE lab tomorrow.

    What I am struggling to understand is that I cannot find an example of where it actually works the way it should. Like, it actually does not work the right way in our environment either I realized and my boss wants me to figure out a way to overcome it with VRFs.

    Check this out:

    Look at his verification though. His tunnel to is not actually up. He's not actually going directly there via a tunnel.

    Cisco's example is this: Configuring Dynamic Multipoint VPN (DMVPN) using GRE over IPSec between Multiple Routers - Cisco

    This is using static routes though, which isn't going to scale. Hmm.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    No progress made on this yet. I've spent all my time labbing a DMVPN environment which is apparently CCIE level stuff.

    The diagram is here that I made. I found a useful follow-along on line and then figured out the differences for myself. Read some good info too. It works as it should, but the challenge is to make it work with the default route going back to the hub and now the ISP next-hop.

    What I learned:

    1. You cannot use a summary address in this scenario - which is something I recall from the CCNA days. However, if you redistribute a routing protocol into OSPF, you are able to use a summary address.

    2. Learned how to inject a default route into OSPF from the hub (which I'll need to do next to get it working the way I want)

    3. It's the first time in awhile I have had to make ISAKMP and IPSec policies, so that was a good refresher. Got to trouble shoot it too.

    4. Learned how to set up DMVPN and NHRP

    While not really covered on the CCNP, it was a good exercise and I'm hoping to get this to production at work.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Well I removed the static default route to the physical next hop and it's been replaced with a default route learned via OSPF to the tunnel IP of the hub thru the default information originate command. Everything still works at it should but I am slightly unsure how the router knows to go to the physical next hop to form a tunnel with a spoke. It's obviously "in the nature of NHRP/DMVPN" but I need a concrete answer. I know it works though because a traceroute from Spoke A will go to the hub, then Spoke B. Another traceroute after will go directly to B, and a tunnel is seen in "show ip nhrp". If you type a random IP (like an internet address) and traceroute it, you can see it goes back to the hub. Hmm!
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    After some packet capturing and research, the tunnel was forming correctly and the DMVPN environment worked.

    However, the tunnel was going THROUGH the hub, was is useless. My boss showed me how to correct this with a VRF but it's slightly over my head and I really need to look at it again today.

    So yeah, back on track to the CCNP next week I'm thinking after spending 5 days working on some CCIE level stuff. I do need to implement this though. Amazing the stuff you learn from actually doing.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Was looking at this DMVPN/NHRP/VRF lab I had done today and it makes decent sense. I was thinking of making a cat tools job to fix the entire environment, but that will not work. The IP address of the interface gets removed when you add in VRF forwarding. There is another obstacle to overcome too but I need to sit down and think about it.

    Anyways, I will do Chapter 3 today and get back on track. Not that excited for this chapter.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Half way thru Chapter 4. I have EIGRP configured between the hub and the switch in that diagram now. Messed with setting up the hello and dead timers and the passive interface stuff. It's been awhile and basic stuff, but feeling good.
  • HardDiskHardDisk Member Posts: 62 ■■□□□□□□□□
    Just a heads up. OSPF and EIGRP dead timers work differently.
    When you tweak the EIGRP dead timer (hold-time) it actually changes the EIGRP neighbor's dead timer.
    When you tweak the OSPF dead timer is only effects the host router and has no effect on the neighbor's dead timer.

    R1(config)#interface serial 2/0
    R1(config-if)#ip hello-interval eigrp 100 2
    R1(config-if)#ip hold-time eigrp 100 6 <--- confusing because this sets the neighbor's hold timer.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Hello! I finished Chapter 4 today. I had previously noticed that changing the hello timer did not have an affect on the neighbor. I know in EIGRP that hello/dead timers do not have to match though.

    Update: I misunderstood the concept and re-read it. What you are saying makes sense. I thought you were suggesting that if I make the dead timer 10 seconds on R1, it will change it on the neighbor.

    That was a helpful hint, thank you.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Dug into chapter 5 today - Advanced EIGRP topics. Somewhere in this chapter is what I read up to previously, so the second half of it will be all new. I labbed up some off set list and broke out the calculator to really understand how the EIGRP FD is calculated (which is simple, but really breaking out the calculator and understanding where the FD came from). I also typed up the EIGRP OSL that was non-existent on the two branch switches for an office I am relocating next week. These offices are small and only have 2 switches and one router mostly, but it makes sense now why we're using off set lists there (and HSRP) which was cool. Good progress today, slowly but surely coming along.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Dug more into chapter 5 today and will finish tomorrow. Did some simple route filtering in my lab, nothing crazy.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Done chapter 5 and moving onto chapter 6. Going to review all notes up until this point first. I've labbed everything so far. It's slow going, but I try to use the knowledge when I learn it and better understand our production environment. Labbed up route summarization and saw it fail when I tried to summarize but was only permitting and in my distribute-list ACL which was cool. Also drew out and realized why summarization for the branch offices here is not an option and would cause issues which was good. Good stuff so far.
  • siggnationsiggnation Member Posts: 182
    I think the route filtering topic was one of the most important while I studied Route. Keep it up!
    Currently Reading:

    CCIE Routing and Switching Written Exam v. 5.1
    CCIE Routing and Switching 5.0 OCG, Vol. I
    Cisco Lan Switching
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    I will!

    I finished Chapter 6. However, I am going to NY this weekend to open up a new office. It should be a good chance to put a dent into this thing, but we'll see.

    I need to rebuild my lab because that DMVPN lab I have for work uses OSPF, and that is what Chapter 7 is on. I am going to go ahead and strip all CCNP stuff off of that DMVPN lab and build a stand-alone lab with 3 2811's today. Should not be too hard, I hope the correct IOS is already on them. Next week I am going to try to figure out the last little bit of this DMVPN lab.

    The route filtering stuff is good. It will be good for me to get to the BGP section and learn a bunch. It's different, but in a similiar idea I know we are pushing traffic out the side with the Riverbed (anyone ever use these things???) at the distribution layer, and then at the edge doing something else to load balance out.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Ended up taking off all CCNP stuff out of my DMVPN work lab and then saving the config to flash. Started fresh with the same topology but am using the switch as layer 2 now and no longer using the cable between R3 and the SW (but it is still there). This will work well. On to chapter 7.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Started Chapter 7. I need to begin getting a faster pace I think though. It's going good but still I could do more.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Done chapter 7, onto chapter 8. Not a lot of labbing going on in Chapter 7, but I did mess with the hello/dead timers and debug to see them fail and the mismatch notifications come through. A good reminder of a lot of OSPF things I forgot in that chapter though.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Chapter 8 almost done and almost half way thru the book. Spent a good amount of time understanding all the show commands in the chapter. I was doing something wrong in my lab and had a different OSPF process for each area, not sure why. Was causing issues but me and my buddy worked through it. Going well.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Done Chapter 8. Onto Chapter 9.
Sign In or Register to comment.