Going for the CCNP

tomtom1

Still searching for some switches while the Bryant material is underway. Is the SWITCH simplified any good?

fredrikjj

tomtom1 wrote: »

Is the SWITCH simplified any good?

Some people think that it's great, and some people don't. I've read it, and I don't think that it lives up to the hype. I've also read the official certification guide which I find to be a better textbook overall due to better language and a greater emphasis on actually teaching you the material. At times Switch Simplfied reads like a configuration guide, and that's not really what I'm looking for in a textbook. My recommendation would be to read the OCG and supplement with the 3560 configuration guide as you are practicing your hands on skills.

tomtom1

fredrikjj wrote: »

Some people think that it's great, and some people don't. I've read it, and I don't think that it lives up to the hype. I've also read the official certification guide which I find to be a better textbook overall due to better language and a greater emphasis on actually teaching you the material. At times Switch Simplfied reads like a configuration guide, and that's not really what I'm looking for in a textbook. My recommendation would be to read the OCG and supplement with the 3560 configuration guide as you are practicing your hands on skills.

Coming from the guy who found the ROUTE OCG not dry, haha. I've ordered the switch OCG and now the only thing I need are a few decent switches. Hoping to pick them up somewhere next week.

tomtom1

FloOz wrote: »

I'd go with 4x 3560s. It'll be pricey but it will pay off if you do go for your CCIE. I would check with your employer if they have any extra gear lying around.

I've got 3 of those and judging by this command (sh ver didn't give me memory info) they have 32 MB of RAM which means they will run IOS 15.

SW02#show file systems
File Systems:

Size(b) Free(b) Type Flags Prefixes
* 32514048 17094656 flash rw flash:
524288 523212 nvram rw nvram:

Managed to pick these up for 350 for all 3 so I'm happy about the price to say the least

The OCG should arrive today or next week.

Edit: Yup, IOS 15 works like a charm:


Switch Ports Model SW Version SW Image

---

---

---

---

---

* 1 26 WS-C3560-24TS 15.0(1)SE C3560-IPSERVICESK9-M

tomtom1

Made some first few steps into the SWITCH area today which was mostly review from the CCNA studies, but at the same time stuff I had to refresh on to form a solid basis. I will be using this thread to cover some notes / scenario's that I'm testing.

Dynamic trunking protocol (DTP)


Dynamic Desirable = default. DTP frames are being sent and the port is actively trying to form a trunked link. It will become a trunked link when the remote end is either trunk, dynamic auto or dynamic desirable.

SW01(config-if)#sw mod dynamic desirable

Dynamic Auto = DTP frames are being sent and received. If the remote end is either trunked or dynamic desirable a trunk link is formed.

SW01(config-if)#sw mod dynamic auto

Trunked = The link is set into a permanent trunking state. The remote end does not have to agree on the negotiation.

SW01(config-if)#sw mod trunk

Access = The link is set into a permanent access state. The remote end does not have to agree on the negotiation.

SW01(config-if)#sw mod access

No negotiation = A fixed link type (either access or trunk) must be configured on both ends

SW01(config-if)#switchport nonegotiate

On modes where DTP frames are being sent (all but nonegotiate) DTP packets will be sent out with a default interval of 30 seconds.You can check this by using show dtp:

SW01#show dtp
Global DTP information
[B]    Sending DTP Hello packets every 30 seconds[/B]
    Dynamic Trunk timeout is 300 seconds
    5 interfaces using DTP

When both 802.1Q and ISL are supported on both ends, ISL will be the preferred option. All active VLANs (1 - 4091) will be allowed on the trunk by default.

Some extra debug information can be shown by running the command show interface <interface name> switchport, which shows the current status of the link, either by hardcoding it as an access or trunked port or by dynamically negotiating a trunked link:

SW01#show interfaces gigabitEthernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
[B]Administrative Mode: dynamic auto[/B]
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
[B]Negotiation of Trunking: On[/B]
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL


Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

gorebrush

Just want to pick up an earlier comment on configuring routing protocols - configuring under the process is largely considered the legacy operation now.

Also, try EIGRP Named Mode that will expand horizons a bit! Don't waste too much on it though - I don't know if it's on the ROUTE blueprint!!

tomtom1

VLAN Trunking protocol VTP


The VLAN trunking protocol is designed to propagate the VLAN database (vlan.dat stored on flash:) from a switch operating in VTP server mode to VTP clients in the same management domain. In order for this process to work, the switches have to be:


-> Running trunked (either ISL or 802.1q) links
-> Running the same version of VTP (either 1,2 or 3)
-> Be in the same VTP management domain (case sensitive)


The entire concept of VTP is based upon the revision number of a switch’s VLAN database:

SW01#show vtp status | i Revision

When VTP is enabled, the switch will send out a summary packet every 5 minutes. This packet contains the VTP management domain name and the configuration revision. When a remote switch receives this package, it checks the VTP domain name against its locally configured VTP domain name. If no match is found, the packet is ignored. If the VTP domain name is the same, the switch checks the revision number. If the revision number in the advertisement is equal or lower, the packet is ignored. If the revision number in the packet is higher, a request is sent.


A VTP enabled switch can be in one of 3 modes:


Server - A VTP server switch has the possibility to edit the VLAN database by either adding, removing or modifying VLANs. This information is propagated to the other VTP enabled switches in the same management domain.
Client - A VTP client has a readonly copy of the database. When trying to edit the VLAN database on a VTP client, an error message is thrown:

SW02(config)#vlan 200
VTP VLAN configuration not allowed when device is in CLIENT mode.

Transparent - A VTP transparent switch has the possibility to edit the VLAN database by either adding, removing or modifying VLANs. This information is not propagated to the other switches When VTP version 2 is enabled, it does forward VTP packets it receives on to other trunked links.


You can check the configuration revision, the domain name and the version of VTP running by issuing the command

SW02#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : CCNP
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 001c.575e.bf80
Configuration last modified by 192.168.1.211 at 3-1-93 06:15:02


Feature VLAN:
--------------
VTP Operating Mode                : Client
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 10
Configuration Revision            : 6
MD5 digest                        : 0xDC 0xF4 0x1E 0xBD 0x43 0xE3 0x88 0xB1 
                                    0x2B 0xFF 0x2A 0xD8 0x49 0x84 0x3A 0xC6 

Configure a VTP domain name and set the mode

SW02(config)#vtp domain CCNP
Changing VTP domain name from switch to CCNP

SW02(config)#vtp mode client
Setting device to VTP Client mode for VLANS.

VTP Versions
The default VTP version running on switches is VTP version 1. VTP version 2 differs on a few points from VTP version 1.

1) VTP Version 2 enabled Token Ring support
2) VTP Version 2 does a consistency check on VLAN names / VLAN ID's based on information based on the information in the VTP advertisements.
3) VTP switches operating in transparent mode pass VTP information on to other switching. This is helpful in situations like this:



In VTP version 2 the VTP switch operating in transparant mode passes the VTP information to the switch connected to it running in VTP client mode. You can change the VTP version in global configuration mode:

SW03(config)#vtp version 2

tomtom1

gorebrush wrote: »

Just want to pick up an earlier comment on configuring routing protocols - configuring under the process is largely considered the legacy operation now.

Also, try EIGRP Named Mode that will expand horizons a bit! Don't waste too much on it though - I don't know if it's on the ROUTE blueprint!!

I've already got the ROUTE part down, but I'll take a look at this. Never come across it before, so I'll definitely check it out. Also thanks for the advice on the 32 meg RAM in the switches for IOS 15.

gorebrush

The irony is of course is that my 3750's run 12.2(52)SE supports VTP v3

tomtom1

​STP 802.1d
Spanning tree BPDU’s are sent out every 2 seconds. The root ID consists of the priority and the mac address of the switch.

Root port: Port closed to the root bridge, used to reach to root bridge.
Designated port: In forwarding mode on one side, on blocking in the other
Blocking: Not actively forwarding traffic, blocked by STP.


Only one end of a link is blocked. The other end of the link is a designated port in forwarding state. The end with the higher mac address has the port in blocking mode.


To set the bridge priority in a PVST instance (i.e. VLAN 1). When PVST is running, the priority consits of 32768 + sys-id-ext (VLAN ID). For VLAN 1 the bridge priority is 32769

SW01(config)#spanning-tree vlan 1 priority 4096

Classic spanning tree (802.1d) port status


Listening - 15 seconds listening for BPDU’s on the network. Traffic is not being forwarded.
Learning - 15 seconds learning entries for the mac-address-table. Traffic is not being forwarding.
Forwarding - The port is up and actively forwarding traffic.
Blocking - The port is blocking


When the convergence has to occur and the port is in blocking state, 20 seconds of timers (max-age) has to expire before the port is being set into listening mode. This could cause the outage to be a maximum of 50 seconds with classic spanning tree protocol.


Because of the slow convergence of classic STP (802.1d) due to the max age, listening and learning delays. Portfast solves one of these problems, by making the port skip both the listening and learning state, by going directly into a forwarding state. Portfast should only be configured on edge ports, ports that connect to an endpoint and cannot form L2 switching loops.

SW01(config-if)#spanning-tree portfast

Because of the slow convergence of classic STP (802.1d) due to the max age, listening and learning delays. Portfast solves one of these problems, by making the port skip both the listening and learning state, by going directly into a forwarding state. Portfast should only be configured on edge ports, ports that connect to an endpoint and cannot form L2 switching loops.


Uplinkfast is a Cisco proprietary feature that allows faster link recovery upon failure of the root port. When uplinkfast is enabled, the root ports and the blocking ports are set into a uplink group. When the root port fails, the blocking port is put into FWD (forwarding) mode and the listening and learning timers are skipped. This allows for faster convergence. Uplinkfast is enabled globally.

SW02(config)#spanning uplinkfast

Root guard is a STP security feature that kicks in when a superior BPDU is received on an interface. Without root guard, a rogue switch could take control of the STP domain and become the root bridge. When root guard is enabled (per interface basis) every downstream BPDU is discarded and the port is set into an root inconsistent port state. Root guard is configured on a per interface basis with the following command:

SW02(config-if)#spanning guard root

BPDU guard is a STP security feature that is used in combination with portfast. When BPDU’s are received on a port that is configured with PortFast the switch knows that there isn’t an end device connected to that port. If BPDU guard is configured, this kicks in and the port is set into an error disabled state. The link and line protocol both go down. BPDU guard is enabled per interface with:

SW02(config-if)#spanning bpduguard enable
*Mar  1 19:02:33.162: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/2 with BPDU Guard enabled. Disabling port.
*Mar  1 19:02:33.162: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/2, putting Fa0/2 in err-disable state
*Mar  1 19:02:34.177: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down

tomtom1

Etherchanneling:
Cisco currently has 2 Etherchanneling protocols built into IOS.

1) PaGP (Port aggregation protocol)
2) LACP (Link Aggregation Control Protocol)

The PaGP protocol is Cisco proprietary and knows 3 modes:
Auto - Will wait for a PaGP packet from the remote switch.
Desirable - Will be actively trying to form a PaGP channel with a remote switch. PaGP packets will be sent.
On - Disables both PaGP and LACP negotiations, builds a static Etherchannel.

The LACP protocol is industry standard (802.3ad) and also knows 3 modes:
Active - The switch is actively trying to form an LACP Channel and is sending LACP packets.
Passive - The switch is waiting for a LACP packet from the remote switch.
On - Disables both PaGP and LACP negotiations, builds a static Etherchannel.

SW01(config-if)#channel-group 2 mode ?
  active     Enable LACP unconditionally
  auto       Enable PAgP only if a PAgP device is detected
  desirable  Enable PAgP unconditionally
  on         Enable Etherchannel only
  passive    Enable LACP only if a LACP device is detected

To put a physical interface in a Port-Channel with the mode set to on, which means a static Etherchannel.

SW01(config-if-range)#channel-group 2 mode on

tomtom1

Allright, port security was on the menu today. Port security is a security measure implemented to stop MAC spoofing and could help in limiting the number of MAC addresses on a interface or even allow only certain MAC addresses to send frames on a interface.

Port security can't be enabled on:
-> Trunk port (switchport mode trunk, or ports operating in DTP mode auto or desirable)
-> Interfaces which are a member of port-channels
-> SPAN destination ports

Port-security violation modes:
-> Protect (drop incoming frames)
-> Reject (drop incoming frames, generate a syslog message and send a SNMP trap)
-> Shutdown (put the port into err-disabled). Default

Port-Security maximum
When enabled, port security by default allows for a maximum of one (1) MAC address on a secure port. This mac-address can be either dynamically learned or statically configured. You can increase the number of secure mac-address on a interface by using the following command:

switchport port-security maximum

Port-security mac-address
Port security can learn mac-address via 2 ways:
1) Statically configured on the interface
2) Dynamically learned by looking at the source mac-address on incoming frames

By configuring the switchport with statically configured secure mac-addresses, you put a hard limit on the mac-addresses allowed to connect on a interface. If the source MAC address of incoming frames does not match the one configured, the configured violation occurs.

Configure a static mac-address with port security like this

switchport port-security mac-address aaaa.aaaa.aaaa

You can also configure sticky mac-addresses with port-security. Sticky mac-address are dynamically learned but once learned, are saved in the configuration so they don't have to be relearned when the switch reboots. Configure sticky mac-addresses:

switchport port-security mac-address sticky

Port-security aging
By default, port-security does not age out entries learned (timer set to 0). You can configure aging in 2 types:

1) Absolute (Specifiy a "hard" timer for when a secure mac-address will age out
2) Inactivity (Specifiy a timer for when a secure mac-address will age out once no traffic from that source mac-address has been seen).

Configure port-security aging:

switchport port-security aging time 10
switchport port-security aging type absolute

A nice gotcha
Consider the following configuration:

SW02#sh run int fa0/16
Building configuration...


Current configuration : 201 bytes
!
interface FastEthernet0/16
 switchport access vlan 200
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address 6003.08a2.beea

One of the 2 maximum mac-address has been statically configured. This means that a second mac-address on the same interface can be dynamically learned, still be allowed to connect to the network and send frames.

Verification commands

show port-security
show port-security interface fa0/16

tomtom1

Got some work done on PVLANs yesterday. Luckily I was already a bit known with the material from VMware's implementation in the distributed vSwitch, so the concepts were already clear. Anyhow, another summary:

PVLAN's basically are VLANs within VLANs.

PVLAN Types:
Primary, which can also be referred to as the promiscuous VLAN.
Secondary, which can either be isolated or community.

PVLAN "modes":
Promiscuous: This is mainly used with default gateways (such as routers or firewalls) but ports in promiscuous mode can communicate to other ports in the promiscuous VLAN, as well as isolated and community ports.
Community: Ports or hosts placed in a community PVLAN can communicate with hosts / ports in the same community VLAN and the promiscuous VLAN. PVLAN-Community ports cannot communicate with hosts / ports in other community PVLANs and isolated ports.
Isolated: Ports or host in an isolated PVLAN can only communicate with the promiscuous VLAN.

One small gotcha
One thing I ran into. PVLANs can only be configured with a VTP switch in transparent or off mode.

SW02(config-vlan)#private-vlan primary
%Private VLANs can only be configured when VTP is in transparent/off mode.

Fix:

SW02(config)#vtp mode off

VLAN Configuration:

SW03(config)#vlan 500
SW03(config-vlan)#name PVLAN-PRIMARY
SW03(config-vlan)#private-vlan primary 
SW03(config-vlan)#vlan 501
SW03(config-vlan)#name PVLAN-COMMUNITY
SW03(config-vlan)#private-vlan community 
SW03(config-vlan)#vlan 502
SW03(config-vlan)#name PVLAN-ISOLATED 
SW03(config-vlan)#private-vlan isolated 
SW03(config-vlan)#vlan 500
SW03(config-vlan)#private-vlan association 501,502

Port Configuration for a host in the community PVLAN:

SW03(config-vlan)#int fa0/11
SW03(config-if)#switchport mode private-vlan host
SW03(config-if)#switchport private-vlan host-association 500 501

Port Configuration for a host in the promiscuous PVLAN:

SW03(config-if)#int fa0/12
SW03(config-if)#switchport mode private-vlan promiscuous 
SW03(config-if)#switchport private-vlan mapping 500 501,502

Verification commands:

SW03#sh vlan private-vlan

SW03#sh int fa0/11 sw | be private

JeanM

Nice job on passing CCNP route on first attempt!

tomtom1

JeanM wrote: »

Nice job on passing CCNP route on first attempt!

Thanks!

Question to you CCNP / CCIE candidates out there concerning DTP. I've learned that the default port mode should be dynamic desirable. When I run a command to verify DTP status, I noticed my default is different. For example:

SW03#sh int fa0/7 sw | i dynamic
Administrative Mode: dynamic auto


SW03#sh run int fa0/7
Building configuration...


Current configuration : 33 bytes
!
interface FastEthernet0/7
End


SW03#sh ver | i 15.0 
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(1)SE, RELEASE SOFTWARE (fc1)
*    1 26    WS-C3560-24TS      15.0(1)SE             C3560-IPSERVICESK9-M     

Do you know if this default was changed in between versions?

FloOz

3560s default is dynamic auto
3550s default is dynamic desirable

tomtom1

FloOz wrote: »

3560s default is dynamic auto
3550s default is dynamic desirable

Weird that something like this would differ between models rather than IOS versions. Anyhow, got the OCG in yesterday and already picked up somethings that gave me just a little bit more detail.

1) When auto negotiation on a switchport fails they fall back to a half-duplex mode.
2) A nice command regarding Etherchanneling

test etherchannel load-balance interface Port-Channel1 mac  10dd.b1ea.bcf5  0008.9bdc.4ddd

It tells you, based on the load-balancing algorithm (sh etherchannel load-balance) which port of your channel would be used when a source mac address of 10dd.b1ea.bcf5 and a destination mac address of 0008.9bdc.4ddd is used (in my case).

gorebrush

Dynamic desirable is truly a horrible default!

tomtom1

gorebrush wrote: »

Dynamic desirable is truly a horrible default!

I know, prefer dynamic auto, but strange that it would differ. On your 3750's, default is dynamic desirable?

tomtom1

Slowly started my way into the redundancy protocols. First one up is HSRP.

HSRP
The Cisco proprietary Hot Standby Router Protocol is one of multiple ways to provide first-hop redundancy on a segment. Why would you want this? See the topology below:



Hosts in the LAN subnet can either use R1 or R2 as a default gateway to reach the internet. However, consider the impact when R1 is used as a default gateway and R1 fails. The hosts would not be able to reach the internet and manual intervention (the reconfiguration of the hosts in the subnet - edit the default gateway to point to R2) could be one of the steps required to restore connection towards the internet.

This is where HSRP steps in. HSRP uses a virtual MAC and IP address to provide what is known as a virtual router. All hosts use the MAC and IP address of the virtual router to forward traffic (in the topology the virtual router will be the default gateway in the hosts on the LAN subnet). The router which is consider active for a HSRP group will respond to both the virtual MAC and IP address. A router in a HSRP group can either be active (forwarding traffic) or standby (waiting to become active).

HSRP packets are multicast to 224.0.0.2. The HSRP MAC address range is 00-00.0c-07.ac-xx. The xx refers to the HSRP group number in hexadecimal.

Configuration of HSRP

R1(config-if)#standby 1 ip 10.0.0.3
R2(config-if)#standby 1 ip 10.0.0.3

Once HSRP is configured, the priority (default 100) will decide who will be the active and who will be the standby HSRP router. If there is a tie, the highest IP address on the HSRP interface will be chosen. In my example, R2 will be the HSRP active router (since it has 10.0.0.2 as IP address) and R1 the HSRP standby router.

Preempt
Since the highest HSRP priority is a deciding factor for the HSRP election, once would expect by setting the higher priority on the standby router, the standby router would become active.

R2(config-if)# standby 1 priority 110

This is not the case, unless preempt is enabled. Preempt allows to actively take over from active routers configured with a lower priority.

R2(config-if)# standby 1 preempt

3 routers
When 3 routers on a shared segment (Ethernet for example) share a HSRP virtual IP address (i.e. the standby <id>) command is configured on all 3 routers, 1 router will become active (highest IP address when priority is a tie) and 1 will become standby. The third router will remain in the listen state, actively waiting to become either active or standby when the other routers fail.

HSRP verification commands

sh standby
sh standby brief
debug standby

tomtom1

Did some SWITCH practice questions on the Cisco Website (link). It appears I know my stuff so far rather OK, but I need to revisit:

• STP mode MST
• STP Loopguard
• STP BPDU Guard

Htting the lab and books!

gorebrush

I used to dislike switching, but one day I think during my studies a lightbulb went off and I can tackle most switch tasks with ease.

Spanning Tree and VLAN's are up there with my favourite topics.

tomtom1

Something I'm not quite getting. Perhaps someone can clarify:

You configure QOS like this:

SW02(config)#mls qos
SW02(config)#int fa0/9
SW02(config-if)#mls qos trust cos
SW02(config-if)#mls qos trust device cisco-phone

What we do here is enable QOS, and trust the L2 information in the COS field (classes 0-7). We make the trust conditional for a cisco-phone.

Which would mean the cisco-phone connected to fa0/9 is able to modify the L2 header and provide COS information in the COS field, correct? The PC connected to the cisco-phone is untrusted and gets it's COS field set to 0 (best effort) by default.

So, what does this command do:

SW02(config-if)#sw priority extend trust SW02(config-if)#sw priority extend cos 

If we set the extend to trust, we trust the cisco-phone? But didn't we do that already with mls qos trust cos and mls qos trust device cisco-phone. Or is my thinking wrong here? What if the PC requires the abillity to do some kind of COS / TOS flagging?

Thanks for the replies.

tomtom1

Anybody got an idea about this?

hananaliabro

dear sir.. will i get job in dubai without experience..
or dubai companies may hire freshers ccnp holders. ??

plz reply me..

tomtom1

tomtom1 wrote: »

Something I'm not quite getting. Perhaps someone can clarify:

Got it sorted out. With the following commands (example), we configure QoS and trust the L2 COS value when the device connected to the other end is cisco phone.

SW03(config-if)#mls qos trust cos
SW03(config-if)#mls qos trust device cisco-phone

With the switchport priority extend command, we have 2 options. Either set the value of the COS (example) to something we trust, of trust the PC attached to the cisco phone to send QOS information.

SW03(config-if)#switchport priority extend cos 2
SW03(config-if)#switchport priority extend trust 

tomtom1

Managed to do some labbing over the weekend. One interesting detail I picked up about Etherchanneling protocols. When the port configuration is edited on the port-channel level (i.e. adding of a VLAN), the physical interfaces belonging to the port-channel get the new config too. It was to be expected, but still nice to see it works.

I also ordered the Boson CCNP Switch practice exam which has some great labs and they really told me to reread the DTP stuff again. I did that and I feel I'm slowly getting ready for the exam. Date is set on July 25th.

tomtom1

Knocked the SWITCH out this morning with an 850/1000. I think the planning + QOS sections could use a bit more work, but hey, a pass is a pass I will start TSHOOT next weekend.

lrb

Nice work man! I think if you are still comfortable with the ROUTE material you should take the TSHOOT soon

tomtom1

Took a few hours to recreate (parts of) the TSHOOT topology only to find some typing errors (FastEthernet0/0 where it should be FastEthernet0/1), which was a nice way to really hone my troubleshooting skills by accidentally misconfiguring stuff . The IPv4 stuff wasn't all that hard (some multi area OSPF, NAT / PAT and basic BGP) but my IPv6 skill still needs much more work. I'm most definitely not comfortable with OSPF v3 and RIPng. That will dictate most of my studying for this week.