Last weeks news: Networkers EMEA 2008 will be in Barcelona. For the diary: Monday Jan 21st – Thursday 24th.

I’m counting on being there, though untill my manager gives approval and it’s been booked I will not know fur sure…

Categories: Events, Main blog, Networking, Work
Comments Off

Right, back on the number hunt I’ve listed up for ccielab@groupstudy.com and am currently upgrading most of my routers to 12.4 or in case of my two 7200′s with NPE-200′s 12.3.

The feature-sets are a right mix too but I hope that I’ll be OK there. Personally I think that the enterprise feature-set is not needed when labbing for R&S as SNA, DSLw and the likes were removed in Jan 2006. I do try to have crypto in there as securing routing protocols is a hot item these days.

Next to IOS upgrades I’ve ordered some more serial cables to add to my lab as it will give me a lot more flexibility. I guess it’s one of the down sides of having ones lab in a datacenter and not at home. Ooh and not being able to manually reload routers is another issue I have. Luckilly it doesn’t happen that much but my 2621 with 40/8 (ram/flash) did not like 12.3(3i) IP as it complains about IOMEM and just halts during boot. (I can feel another trip to the datacenter coming) Cables should be in next week so I’ll have to work at the datacenter late coming Friday (in the UK on Wednesday and Thursday).

Categories: CCIE R&S, Main blog
Comments Off

Just reading up on stuff and came across the I/G and U/L bits in the MAC address. The I/G bit is the first bit of the MAC address, reading MSB to LSB, the U/L bit the second.

I/G: Binary 0 means the address is a unicast; Binary 1 means the address is a multicast or broadcast.
U/L: Binary 0 means the address is vendor assigned; Binary 1 means the address has been administratively assigned, overriding the vendor-assigned address.

Say I’d want to Deny Multicast & Broadcast and also Administratively assigned addresses, then the following ACL would be best (out of the three options, due to ACL length).

mac access-list extended MACL-official-Ucast-only
permit any 0000.0000.0000 00ff.ffff.ffff
!
interface FastEthernet1/0/10
mac access-group MACL-official-Ucast-only in

Categories: CCIE R&S, Main blog
Comments Off

10th of August is my next lab date. After booking the 14th then the 4th of September, the 10th of August came up and I snapped it up as soon as I could.

For all those wondering whether you can easily change your lab date. It’s easy enough, you just book another date and it moans at you that you already have a date. You’ll have to option to have the system delete your previous date replacing it with the one you’re trying to book. Took me a while to figure that one out but apparently it is listed somewhere on the Cisco CCIE site but I had a hard time finding it, was only after I heard the answer to my question from Cisco that a colleague pointed me to a page with the info I’d been looking for…

Categories: CCIE R&S
Comments Off

EEK, just noticed I’d not written anything about attending Networkers yet. Well I had a whale of a time and not just because of a rather cool ‘customer appreciation event’, the former Cisco party. But because I was able to attend a fabulous Techtorial and I managed to discuss a lot of issues with key people from Cisco.

Networkers has really changed my view on Cisco, the technical guys there were really interested in what we, the customers, had to say. They welcomed open discussion during their sessions and handed out business cards galore. I even received mail during the weekend after with answers to questions I posed during face-to-face Design sessions in between the presentations/normal sessions.

I must clarify that I registered my sessions very early and I planned it meticulously. I’ve only been to level 3 sessions which kept me safe from hot air marketing talk etc. Also I agree with Cisco when they say that what you get out of it is what you put into it and it really paid off for me. I’ve got so much info to take back with me and process that I’m glad I made so many notes. It surely was way more valuable than a month of full time classroom training.

Further things that impressed me were: Explanations of road-maps, a few of them even more than 12 months ahead. How approachable everyone was. How I managed to baffle one of the speakers during an MPLS VPN Design session I walked into; MPLS VPN hub-and-spoke via a firewall without using a vlan per vrf. There is no solution…

Better stop here else I’ll never stop. I will probably divulge into one or more of the subjects I attended some time in the future, but I’d better not promise anything…

Categories: CCIE R&S
Comments Off

Oh, lest I forget again. Check out the CCIE R&S pages. Since restarting my studies, I’m updating them regularly again so be prepared to find new gems in there. Or just browse it for some of those “oh yes” moments if ‘new’ it’s so new for you any more. We all forget this stuff if we don’t regularly remind ourselves, I do anyway…

Categories: CCIE R&S
Comments Off

I’ve heard reports of the lab containing more and more L3 switches these days. Looks like I need to update my lab hardware to incorporate some L3 switches. The 3550 is EOS but even second hand overly expensive, the 3560 is not cheap either. I’m hoping my employer is willing to get some as I’ve now got two other colleagues gearing up for their CCIE. I might have a trick up my sleeve but you’ll have to come back later if you want to know the outcome of that one.

I currently use a combination between a normal router and a vlan on my L2 switch for all switch related tasks but I guess Cisco is adding NAC (IEEE802.1x) and other advanced L2/L3 switching tasks into the lab. Which is kinda logical seeing as even I’m looking at the L3 switches as Ethernet access cpe’s.

Categories: CCIE R&S
Comments Off

Right, it’s been a while since my last attempt (2nd of August last year). Joshua, my 3,5 mo old son, is sleeping through the night so I can get back into studying.

Tonight is the evening I’ll be picking up the battle axe again and I must say I’m terribly rusty. Been very busy with work and that did not involve in-depth routing protocols. Will start on the basics and get myself familiar again with the basic stuff I got from my CCIE bootcamp. Then I’m planning to go through all the practice labs I have to see whether I’m really at ease with everything I encounter. Some of the points I’ve already mentally listed as crucial are:

• Multicast (PIM-SM, PIM-DM and using GRE tunnels)
• OSPF over various tastes of F/R
• BGP route manipulation (redistribution and tagging)
• ACLs (lock&key, time based & ‘odd’ logging)

I sure hope the other guys I studies with are still around as I’ve not heard from them in a while. My plan is to attempt my next lab in Feb, that is time permitting. Networkers EMEA 2007 will take a nice chunk out of my time as well as work related stuff although that shouldn’t be too much of an issue now that I’ve got some of my long awaited equipment.

Categories: CCIE R&S
Comments Off

Just a quick note to say that I’m going to Networkers2007.

If you’re going as well and want to meet me then drop me a line, with a suggestion of when you’re free. I don’t think I’ll be able to intentionally run into anyone there, my schedule is way too busy for that.

Suggestions for surviving Networkers are welcome as I’ve never been before.

Categories: Events, Networking, Work
Comments Off

For all those who check into this page and are wondering what I’ve been up to…

On the 22nd of September my second son was born, Joshua Marius Geurts. Since my last (and first) lab attempt I’ve been preparing for Joshua’s arrival by redoing the baby room and converting an old cupboard into a 2nd toilet.

Now that Joshua is here I’m busy with day to day life and trying to build a little reserve again. I hope to have to opportunity soon to start preparation again for my second lab attempt.

Categories: CCIE R&S, Main blog
Comments Off

[Cisco] IEEE 802.1X cannot be enabled on the port security enabled-port.

Sep 21 12:47:00.223: %LINK-3-UPDOWN: Interface GigabitEthernet2/6, changed state to up
Sep 21 12:47:01.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/6, changed state to up
Sep 21 12:47:20.198: %DOT1X-5-SECURITY_VIOLATION: Security violation on interface GigabitEthernet2/6, New MAC address 0012.3f09.3840 is seen on the interface in mode
Sep 21 12:47:20.198: %PM-4-ERR_DISABLE: security-violation error detected on Gi2/6, putting Gi2/6 in err-disable state
Sep 21 12:47:21.202: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/6, changed state to down
Sep 21 12:47:22.202: %LINK-3-UPDOWN: Interface GigabitEthernet2/6, changed state to down

Nice of CLI to state what mode it has trouble with!

Just found this on CCO…

You can enable port security on an 802.1X port in either single- or multiple-host mode. (To do so, you must configure port security with the switchport port-security interface configuration command.) When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed on that port, including that of the client. Hence, you can use an 802.1X port with port security enabled to limit the number or group of clients that can access the network.

Now what happens when I use VoIP and plug my pc into the phone? The phone is compatible with CDP and as such is allowed into the voice vlan, the PC does dot1x and is allowed access by user credentials. However port-security will set the port to err-disabled due to something related to the phone:

Sep 21 14:49:57.550: PSECURE: swidb = GigabitEthernet2/6 mac_addr = 0800.0f1e.f7ad vlanid = 40
Sep 21 14:49:57.550: PSECURE: Adding 0800.0f1e.f7ad as dynamic on port Gi2/6 for vlan 40
Sep 21 14:49:57.550: PSECURE: Violation/duplicate detected upon receiving 0800.0f1e.f7ad on vlan 40: port_num_addrs 1 port_max_addrs 1 vlan_addr_ct 0: vlan_addr_max 2 total_addrs 0: max_total_addrs 3072
Sep 21 14:49:57.550: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0800.0f1e.f7ad on port GigabitEthernet2/6.
Sep 21 14:49:57.550: PSECURE: Security violation, TrapCount:33

One needs all three lines (if-config) if one wants to be propperly secure (this works btw):

switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict

The restrict is to leave the phone working when a pc is denied access, nice DOS otherwise to down all phones in sight…

Categories: Work
Comments Off

CCIE Routing and Switching Lab Score Report

Candidate: Djerk Geurts
Lab Date: August 2 2006
Lab Site: Brussels
Failed

I really thought I passed, had time to spare, reloaded everything check the routing tables and complete connectivity. I quickly came down to earth when my wife phoned me back saying I’d received a mail from Cisco. Must say it’s pretty quick so I must have either annoyed the proctor or the script  that runs against the configs must have regarded my configs not enough Cisco compliant.

Sad thing is I have no idea what I did wrong and as there’s no way of getting any feedback I’m afraid I’ll make the sam mistakes next time. Maybe next time I’ll be a little more relaxed and focussed. Maybe I was too stressed, didn’t feel it, and missed some important things in the questions. I suppose I’ll never know.

I’ll be focusing on DIY for the moment as I need to prepare for a new baby which is due to arrive soon. Stay tuned!…

Categories: CCIE R&S
Comments Off

A nice relaxing day to write some last notes and relax, for my latest addtions have a look in the lab section of my CCIE R&S page. New topics:

• Smurf/fraggle attacks
• EIGRP bandwidth limitation
• DHCP pool options
• F/R with ‘dual’ QoS (thanks to the evil bastard for that one)
• Redistribute BGP default into IGP

Will post again on wednesday evening (bad) or thursday (should be good)

Categories: CCIE R&S
Comments Off

Pfew, I’m typing this with the last little bit of energy left in me. I started this morning on the mocklab I screwed up during the bootcamp and I actually finished in time. I would not have had 100% score as there were two things I had to look up outside of the “univercd”.

So this has given me a last push to find little thing that I’d forgotten (already!) or hadn’t used yet. Like BGP and EIGRP authentication. I’ve written down some topics I want to work out on my CCIE R&S pages so stay tuned int the next two days.

Time for dinner now , ooh I’m soo happy that I managed this in 8 hours, the 1st mocklab I did took me 14 hours so this is a nice booster for this wednesday when it’s for real.

PS: I’ve bought a set of coloured pens, I really hope the proctor will allow me to use them as my drawings become a mess without them. I’ve used them the entire week and now have a nice colour coding scheme for different things like protocols and special notes. Also I’ve developed the habit of making a separate network drawings for BGP and Multicast, it really helps keeping the different forwarding planes separate and simple.

Categories: CCIE R&S
Comments Off

Found this 3 minute video showing the lab environment and detailing in simple terms what the 8 hour CCIE lab exam is.

Categories: CCIE R&S
Comments Off