It's my time: Mrock's CCIE thread

Mrock4

day 1 of my new study schedule. Hitting PVLAN's for the first time in my CCIE studies. Last time I did my layer 2 studies I skipped over PVLAN's for some reason. I suppose I was apprehensive to play with them since I've never needed them in production (until recently). It's funny, because in only an hour of labbing, I wondered why I hadn't attacked them earlier.

Mrock4

Went over some MSTP labs yesterday, felt really good. Couple of minor things I had forgotten, but most of it came back pretty quick, and learned a couple of things along the way.

Today I'm going to lab a couple of hours as well. I've written a schedule of topics to cover for each day on my whiteboard in my office, so I forget what I was supposed to cover today. I want to say I'm going to review VACL's, and some other stuff.

jamesp1983

Keep it up!

Mrock4

jamesp1983 wrote: »

Keep it up!

Thanks James. Saw you're over at IEOC. I just signed up, so I'll probably be lurking there a while. Hoping to really dig in for the next few months. As of now, I'm not confident I can make a 2012 attempt, but I'd like to try at least, and if I'm not ready, push it back to feb 2013 (or so). I think getting the forum posts on my e-mail will be a nice way for me to gain some knowledge when not labbing.

I'll still update this thread too, but at the end of the day my goal is the CCIE, so I've gotta keep my eye on the prize.

Mrock4

Wow..so a very productive session! Learned something very important:

-When configuring VLAN access-maps, be SURE to allow STP/ARP traffic! I had read this, but completely disregarding when completing an INE lab, and got some strange results. I had some devices that would ping, others wouldn't. ARP showed an incomplete entry for one device, so I believed that was the issue. Verified my mac access-lists were permitting all ARP traffic (permit any any 0x806 0x0)...then finally a lightbulb went off and I checked spanning-tree. Check the screenshot out..

So I went "WTF?"...wondering why the switches weren't agreeing on a root bridge. Quickly realized that BPDU's likely weren't being received on each end. Did a "Show spanning-tree int f0/13 (trunk port) det, and verified the received BPDU count wasn't incrementing. Adjusted the mac ACL, added the line "permit any any 0xAAAA 0x0", and STP was working again, and all is well. INE didn't mention a word about this in their solution, but I'm kind of glad- I'll never make that mistake again, and if I do- I'll know what my problem is! Back to labbing...

Zartanasaurus

Mrock4 wrote: »

Wow..so a very productive session! Learned something very important:

-When configuring VLAN access-maps, be SURE to allow STP/ARP traffic! I had read this, but completely disregarding when completing an INE lab, and got some strange results. I had some devices that would ping, others wouldn't. ARP showed an incomplete entry for one device, so I believed that was the issue. Verified my mac access-lists were permitting all ARP traffic (permit any any 0x806 0x0)...then finally a lightbulb went off and I checked spanning-tree. Check the screenshot out..

So I went "WTF?"...wondering why the switches weren't agreeing on a root bridge. Quickly realized that BPDU's likely weren't being received on each end. Did a "Show spanning-tree int f0/13 (trunk port) det, and verified the received BPDU count wasn't incrementing. Adjusted the mac ACL, added the line "permit any any 0xAAAA 0x0", and STP was working again, and all is well. INE didn't mention a word about this in their solution, but I'm kind of glad- I'll never make that mistake again, and if I do- I'll know what my problem is! Back to labbing...

Blog post on this very thing that I have in my favorites:
Security: Common Ethertypes in Vlan Access Maps | ardenpackeer.com | Network Fu

Mrock4

Zartanasaurus wrote: »

Blog post on this very thing that I have in my favorites:
Security: Common Ethertypes in Vlan Access Maps | ardenpackeer.com | Network Fu

Love Arden's blog. Thanks for sharing the link! added to favorites too.

Forsaken_GA

Mrock4 wrote: »

-When configuring VLAN access-maps, be SURE to allow STP/ARP traffic! I had read this, but completely disregarding when completing an INE lab, and got some strange results. I had some devices that would ping, others wouldn't. ARP showed an incomplete entry for one device, so I believed that was the issue. Verified my mac access-lists were permitting all ARP traffic (permit any any 0x806 0x0)...then finally a lightbulb went off and I checked spanning-tree. Check the screenshot out..

You're not incorrect in saying you need to allow STP/ARP, but it's the wrong overall solution. If you simply try to allow all traffic you think you need to, you're going to forget something, plus you've got an administrative nightmare waiting to happen when new types of traffic get introduced down the road and your VACL didn't account for them.

The safe way to implement a VACL is to match the traffic you want to deny, and then set it's traffic to drop, then make absolutely certain that the last statement in the VACL is a default action forward. This is the best way to make sure you don't screw yourself (unless, of course, the task specifically says 'only allow this crap', in which case you do that)

Mrock4

My solution matched the workbook's solution, so I'm not sure what you mean there. In production, I get what you're saying, but the CCIE lab is certainly anything BUT production

Plus, I cannot say I have ever seen VLAN access-maps used in production with MAC ACL's. I do appreciate the best practice tip though, I will definitely keep it in mind.

Mrock4

Not CCIE related (today is an 'off' day), but I got word via e-mail that I passed my CISSP. Pretty awesome, considering I really didn't want to have to study that stuff again.

Forsaken_GA

Mrock4 wrote: »

My solution matched the workbook's solution, so I'm not sure what you mean there. In production, I get what you're saying, but the CCIE lab is certainly anything BUT production

Plus, I cannot say I have ever seen VLAN access-maps used in production with MAC ACL's. I do appreciate the best practice tip though, I will definitely keep it in mind.

Well, that's why I say, it depends on the task. I'm guessing you're still working through vol 1? When you run into VACL's in vol2 and on INE Mock Labs (if you decide to take them) what I said will be alot more useful to you

Was just curious, as I'm assuming you were working on task 11.20, and it does specifically say to allow STP and ARP, and mentions it in the solution,

vCole

Mrock4 wrote: »

Not CCIE related (today is an 'off' day), but I got word via e-mail that I passed my CISSP. Pretty awesome, considering I really didn't want to have to study that stuff again.

Congrats!

jamesp1983

Mrock4 wrote: »

Not CCIE related (today is an 'off' day), but I got word via e-mail that I passed my CISSP. Pretty awesome, considering I really didn't want to have to study that stuff again.

Congrats! You are moving right along.

Mrock4

Forsaken_GA wrote: »

Well, that's why I say, it depends on the task. I'm guessing you're still working through vol 1? When you run into VACL's in vol2 and on INE Mock Labs (if you decide to take them) what I said will be alot more useful to you

Was just curious, as I'm assuming you were working on task 11.20, and it does specifically say to allow STP and ARP, and mentions it in the solution,

While we're assuming things and using smilies ( ), I'll assume you're using the wrong workbook

Additionally, you assume I'll be using INE Vol II (or III..or any of their products after Vol I), and that's wrong as well. I won't go into my spiel, but for now, I'm going with another vendor. That may change, but we'll see.

Mrock4

Thanks cole and james. Now if I can have the same luck with the lab reasonably soon, I will be really happy.

Forsaken_GA

Mrock4 wrote: »

While we're assuming things and using smilies ( ), I'll assume you're using the wrong workbook

Additionally, you assume I'll be using INE Vol II (or III..or any of their products after Vol I), and that's wrong as well. I won't go into my spiel, but for now, I'm going with another vendor. That may change, but we'll see.

Well, come on dude, look back through this thread. You've made constant references to INE products including their workbooks, so it's not exactly an unreasonable assumption. If you've decided to go with another vendor, that's cool, but can do without the snipe.

Mrock4

Forsaken_GA wrote: »

Well, come on dude, look back through this thread. You've made constant references to INE products including their workbooks, so it's not exactly an unreasonable assumption. If you've decided to go with another vendor, that's cool, but can do without the snipe.

I didn't mean a different vendor. I AM using INE, but an old version of the workbook, and by what you stated (I'm not at home, so I don't have the two to compare), it sounds like you're referring to a task in the newer version of the workbook. That's all- no harm meant.

Mrock4

On a brighter note, I've booked my lab date- March 15, 2013. That gives me about 8 months of solid studying on top of what I've done so far.

Mrock4

Just finished labbing at 1:30am. Bedtime! Covered PPP pretty extensively. Was already comfortable with the basics, but hadn't done much with MLPPP, so played with that, as well as authentication. PPPoE tomorrow, then back onto a very brief Frame Relay review, and IGP's. My goal is to get through OSPF/BGP by the beginning of September. Once I'm through those two topics (I'm reasonably solid on EIGRP/RIP), I can focus on the non-core topics a little bit. Once I've gotten through about 20% of the non-core topics I'll probably start working on a full lab once a week or so (until I complete the non-core topics).

jamesp1983

Ouch! What time do you have to be up for work?

Mrock4

I took today as a comp day for some after hours work from a while ago, so no work.

Mrock4

Studied PPPoE earlier today, labbed it out a bit, and scoured the cisco docs too for stuff on PPPoE. Got a good 2 hours in early. Going to get another hour or so this evening labbing some PPPoE in GNS3. Tomorrow begins Frame Relay review- should finish that by Sunday, and begin EIGRP review monday.

Mrock4

Started my friday night lab session late. Regardless, I've got redbull..so let's do this.

Mrock4

Finished Frame relay. Still got a little bit of energy, so going to lab some EEM stuff until I'm tired.

Mrock4

Labbed a couple of hours worth of RIP. Nothing groundbreaking, but it's good to review the basics. Should finish it up tomorrow or Monday, then it's onto EIGRP for the next week. Hoping to get to OSPF the following week and will be there a while.

NetworkVeteran

Mrock4 wrote: »

Labbed a couple of hours worth of RIP. Nothing groundbreaking, but it's good to review the basics. Should finish it up tomorrow or Monday

I find RIP kinda fun to debug. No neighbor relationships, a database that tries to serve both versions at once even if only one is running, and commands that sometimes can't take effect w/ no warning messages. I mean, this all creates confusion we can jump in and solve!

Mrock4

Absolutely NetworkVet- it's simplicity with regards to debug is great. I've actually been caught a couple of times looking for a more serious configuration problem, when it was something relatively simple..gotta KISS!

Just finished RIP literally 2 minutes before my CCNP Sec bootcamp online. Hoping I can keep up the R&S studies this week, but we'll see.

Mrock4

Wow. Well, I was really optimistic, hoping this CCNP Security bootcamp would blow any prior negative issues with INE customer service out of the water, and restore my faith in them..it hasn't.

Half of the class are basically talking about demanding a refund from INE (which I doubt they'll get), some are already on the phone with INE complaining.

For the record, the complaints are centered around the fact we're 4 hours into training, and all we've done is look at Cisco Docs. Plus I guess there was an instructor change (or miscommunication), so some people were upset about that. Plus it looks like the instructor (Brandon C) isn't in the chat, nor is any INE rep, so the participants can't ask questions.

My only gripe is the slowness of the bootcamp, but many other bootcamps have started this way, so I'm going to wait till it's further in to make judgement, since it is still early.

Mrock4

INE must have gotten an earful, because after our lunch break, Brandon has been in the CLI almost exclusively, and it has been very good.

That being said, they disabled the chat completely.

Mrock4

Hitting EIGRP labs this morning. Covered Time-based ACL's as part of the bootcamp last night, so I labbed that a bit yesterday.