CCIE Training

I enjoyed Petr’s article regarding explicit next hop.  It reminded me of a scenario where a redistributed route, going into OSPF conditionally worked, depending on which reachable next hop was used.

Here is the topology for the scenario:

Here is the relevant (and working ) information for R1.

When we replace the static route, with a new reachable next hop, we loose the ability to ping 100.100.100.3

When we change the next hop for the static route, (which is being redistributed into OSPF), the route to 100.100.100.0/24 no longer works, even though we have verified ability to ping the new next hop.

Can you solve this puzzle?  Please post your ideas!

For more troubleshooting scenarios, please see our CCIE Route-Switch workbooks, volume 2, for more than 100 challenging troubleshooting scenarios.

We will post the results right here, in a few days, after you have had a chance to post your comments and ideas.

Best wishes,

Keith

The author and poet Maya Angelou said “Words mean more than what is set down on paper. It takes the human voice to infuse them with deeper meaning.”. Well that is certainly what we have attempted to do with the CCIE Voice Deep Dive self-paced Class on Demand series – that is to bring the human instructional voice element to infuse deeper meaning to what is already fantastic Cisco Documentation. Anyone that has set out and determined to undertake the task of studying for and ultimately passing any CCIE Lab exam, knows that at some point during your studies, the words on paper (Cisco Docs, RFCs, books) – while a absolute phenomenal source of information – can at times seem to loose their impact. Perhaps you have been studying too long, read one too many docs, have the time pressure of your family and friends waiting for you to return to be a part of their life, or perhaps you are just starting out on your adventure and don’t know where to begin. Whatever stage you are at or whatever the case may be, it is certainly helpful to have a tutor and mentor there beside you at times, assisting you in understanding what each complex technology’s documentation is trying to teach you, in possibly a deeper and more insightful way than you can manage on your own.

Wait no longer for such help to arrive! INE is happy to announce that each Live-Online Deep Dive course that we have taught has been recorded, and you have the ability to access these extensive repositories of knowledge at any time.

Here are a couple of great demo’s of just a portion of the latest Deep Dive session we held on Globalization & Localization in order to whet your appetite:

Demo 1: Globalization Prezi – Theory and Reasons

Demo 2: Inbound Calling Party Localization

For each complex topic we have held — or will soon hold (listings to follow below) — a separate online class where we dive down deep and explore all the concepts, practical application and troubleshooting associated with each technology topic. We then allow you to purchase each module individually (if you like) so that you can either try small sections of the product, or so that those who only need to plug in small gaps of knowledge can do so at a very deep, intense level – either one without committing to purchase the entire product series.

The general format for each Class-on-Demand Deep Dive module spends between 4-7 hours on the given topic for that day, and during that time follows this outlined training methodology:

• Collectively discuss and teach all concepts involved in the technology
• Whiteboard concepts to further deepen every participant’s understanding
• Define a specific set of tasks to be accomplished
• Demonstrate how the tasks and concepts are implemented and properly configured
• Test the configuration thoroughly
• Vary the configuration to understand how different permutations effect the outcome
• Debug and trace the working configuration to understand what should be seen
• Break the configuration and troubleshoot with debugs and traces to contrast from the working set

Thus far, we have held 10 online sessions – each with a median recorded runtime of 6 hours. We have almost 60 hours of Class on Demand content, and we’ve only just begun! We conservatively estimate that by the time we complete our more than 30 planned modules, that we will have at over 200 hours of Deep Dive recordings.

Below is a detailed index from the 10 currently available sessions:

Module 1 :: Network Infrastructure with LAN Quality of Service

• Catalyst 3560/3750 Classification and Marking
• Catalyst 3560/3750 Conditional Trust
• Catalyst 3560/3750 Ingress Interface Mapping
• Catalyst 3560/3750 Ingress Interface Queuing
• Catalyst 3560/3750 Ingress Interface Expedite Queue
• Catalyst 3560/3750 L2 CoS to L3 DSCP Mapping
• Catalyst 3560/3750 Egress Interface Mapping
• Catalyst 3560/3750 Egress Interface Queuing
• Catalyst 3560/3750 Interface Queue Memory Allocation
• Catalyst 3560/3750 Egress Queue-Set Templates
• Catalyst 3560/3750 Weighted Tail Drop (WTD) Buffer Allocation
• Catalyst 3560/3750 Egress Interface Expedite Queue
• Catalyst 3560/3750 Egress Interface Sharing
• Catalyst 3560/3750 Egress Interface Shaping
• Catalyst 3560/3750 Scavenger Traffic Policing

Module 02 :: CUOS GUI and CLI Admin

• CUCM WebUI: Service Activation and Stop/Start/Reset
• CUCM WebUI: Bulk Administration Tool (Import/Export, Phone Reports, etc)
• CUCM WebUI: DB Replication Status
• CUCM WebUI: Trace Files
• CUOS CLU: TFTP Files Management
• CUOS CLU: Status and Hostname
• CUOS CLU: DB Replication Assurance
• CUOS CLU: DB Replication Repair and Cluster Reset
• CUOS CLU: Trace Files
• CUOS CLU: RIS DB Search
• CUOS CLU: Performance Monitor (PerfMon)
• RTMT: Trace Files
• RTMT: Performance Monitor (PerfMon)

Module 03 :: CUCM System and Phone – SCCP and SIP Fundamentals

• CUCM Services
• UC Servers and Groups
• Date/Time with NTP Reference
• Regions and Codecs
• Location-Based Call Admission Control
• SRST References
• Device Pools
• System Parameters
• Enterprise Parameters
• Phone Button Templates
• Softkey Templates
• SCCP Phone Basics
• SIP Phone Basics

Module 04 :: Users, Credentials, Multi-Level Roles and LDAP Internetworking

• CUCM User Credentials and Policies
• LDAP Synchronization for CUCM and Unity Connection
• LDAP Authentication for CUCM and Unity Connection
• CUCM End Users
• CUCM User Roles
• CUCM Multi-Level Administration
• CUCM Device/Phone/Line User Association
• UCCX and CUP Basic Users

Module 05 :: Call Features – In-Depth

• SCCP and SIP Phone Display
• Phone Firmware
• Phone Logging
• Ring Settings
• Basic and Advanced Call Forwarding Display
• Auto-Answer Options
• CallBack (Camp-On)
• Intercom
• Advanced Call Hold Options
• Call Park
• Directed Call Park
• Advanced Call Park Settings
• Call Pickup
• Group Call Pickup
• Other Call Pickup
• Directed Call Pickup
• Call Pickup Attributes
• Shared Line
• Barge and cBarge (Conference Barge)
• Privacy
• Built-In IP Phone Bridge

Module 06 :: Media Resources – MTPs, Conf Bridges, Annunciator and Music on Hold

• IOS Software MTP
• IOS Conference Bridge
• IOS Transcoding
• Media Preference and Redundancy
• Meet-Me Conferencing
• Ad-Hoc Conferencing
• Annunciator
• Unicast Music on Hold
• Traditional Multicast Music on Hold
• Alternate Multicast Music on Hold

Module 07 :: Expert Gateways & Trunks

• ISDN Switch Types and Advanced CNAM options
• ISDN Information Elements
• SIP Trunks – Fundamental and Advanced Options
• H.323 Gateways – Fundamental and Advanced Options
• MGCP Gateways – Fundamental and Advanced Options

Module 08 :: Expert H.323 Gatekeeper

• Provisioning IOS H.323 Gatekeeper
• Registering CUCM with H.323 Gatekeeper
• Registering CUCME with H.323 Gatekeeper
• Routing Calls from CUCME to CUCM via Gatekeeper in Multiple Zones with Dynamic E.164 Aliases
• Routing Calls from CUCM to CUCME via Gatekeeper in Multiple Zones with Multiple Tech Prefixes
• Routing Calls from CUCME to CUCM via Gatekeeper in Multiple Zones with Multiple Tech Prefixes
• Routing Calls from CUCME to CUCM via Gatekeeper in Multiple Zones with Static E.164 Aliases
• Routing Calls from CUCM to CUCME and Back via Gatekeeper in One Zone with One Tech Prefix
• Gatekeeper Call Admission Control
• Routing Calls from CUCM to CUCME and Back via Alternate Gatekeeper Clustering in Multiple Zones with Multiple Tech Prefixes using GUP

Module 09 :: Dial Plan – Line Device Approach and the Not-So-Basic Fundamentals

• Class of Service: Calling Search Spaces and Partitions
• Gateways, Route Groups, Local Route Groups/Device Pools
• Route Lists and Standard Local Route Groups
• Route Patterns and Translation Patterns
• Digit Manipulation: Calling & Called Party Transformations and IOS Dial Peers
• Private Line Automatic Ringdown (PLAR)

Module 10 :: Dial Plan – Globalization & Localization of both the Calling and the Called Numbers, and with Mapping the Global Number to the Local Variant

• Inbound PSTN Calls (Ingress from PSTN, Egress to Phones): Calling Party Globalization :: GW Incoming Calling Party Settings
• Inbound PSTN Calls (Ingress from PSTN, Egress to Phones): Calling Party Localization :: Phone Calling Party Transformations
• Outbound PSTN Calls (Ingress from Phones, Egress to PSTN): Called Party Globalization :: PSTN Patterns – a.k.a. “Translation Patterns are the *New* Route Patterns”
• Outbound PSTN Calls (Ingress from Phones, Egress to PSTN): Called Party Localization :: Digit Manipulation: Calling & Called Party Transformations and IOS Voice Translation Rules & Dial Peers
• Mapping the Global Number to the Local Variant :: + Dialing and One-Button Missed Call DialBack

So stay tuned to this blog as we will shortly post the upcoming modules soon to be held online and recorded.

“Why doesn’t this PING work!?!”

Here is a simple 3 router configuration, well at least it is simple on 2 of the 3 routers. R1 and R3 are configured quite traditionally, but R2 is a bit more involved.
Here is the diagram.

Here are the details.

R2 is using a VRF which includes both LAN interfaces. R2 is also acting as a Zone Based Firewall in transparent mode, allowing all ICMP traffic in both directions, as well as SSH from the inside to the outside networks. R2 has a bridged virtual interface in the 10.123.0.0/24 network. All are running OSPF, but pings issued from R2 to the loopbacks of R1 and R3 are failing.

Can you identify why?
Here is the relevant output:

R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           1   FULL/DR         00:00:39    10.123.0.3      FastEthernet0/0
10.123.0.2        1   FULL/BDR        00:00:32    10.123.0.2      FastEthernet0/0
R1#show ip route ospf
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/2] via 10.123.0.3, 00:01:33, FastEthernet0/0

R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/88/172 ms
R1#ssh -l admin 3.3.3.3
Password: <password>

R3#show ssh
Connection Version Mode Encryption  Hmac         State                 Username
0          1.99     IN   aes128-cbc  hmac-sha1    Session started       admin
0          1.99     OUT  aes128-cbc  hmac-sha1    Session started       admin
%No SSHv1 server connections running.
R3#exit

[Connection to 3.3.3.3 closed by foreign host]
R1#

Now for R2:

R2#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DROTHER    00:00:37    10.123.0.1      BVI1
3.3.3.3           1   FULL/DR         00:00:35    10.123.0.3      BVI1

R2#show ip route ospf

R2#show policy-map type inspect zone-pair
 Zone-pair: zp-in-to-out

  Service-policy inspect : p-in-to-out

    Class-map: c-in-to-out (match-any)
      Match: protocol icmp
        4 packets, 320 bytes
        30 second rate 0 bps
      Match: protocol ssh
        3 packets, 72 bytes
        30 second rate 0 bps
      Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [4:390]
        icmp packets: [0:50]

        Session creations since subsystem startup or last reset 8
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [2:1:1]
        Last session created 00:02:23
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 3
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        0 packets, 0 bytes
 Zone-pair: zp-out-to-in

  Service-policy inspect : p-out-to-in

    Class-map: c-out-to-in (match-all)
      Match: protocol icmp
      Inspect
        Packet inspection statistics [process switch:fast switch]
        icmp packets: [0:20]

        Session creations since subsystem startup or last reset 2
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [1:1:0]
        Last session created 00:25:24
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 1
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        4 packets, 96 bytes

R2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2# show run
version 12.4
hostname R2
!
ip vrf myvrf
!
class-map type inspect match-any c-in-to-out
 match protocol icmp
 match protocol ssh
class-map type inspect match-all c-out-to-in
 match protocol icmp
!
policy-map type inspect p-in-to-out
 class type inspect c-in-to-out
  inspect
 class class-default
policy-map type inspect p-out-to-in
 class type inspect c-out-to-in
  inspect
 class class-default
!
zone security inside
zone security outside
zone-pair security zp-in-to-out source inside destination outside
 service-policy type inspect p-in-to-out
zone-pair security zp-out-to-in source outside destination inside
 service-policy type inspect p-out-to-in
bridge irb
!
interface FastEthernet0/0
 ip vrf forwarding myvrf
 no ip address
 zone-member security inside
 bridge-group 1
!
interface FastEthernet0/1
 ip vrf forwarding myvrf
 no ip address
 zone-member security outside
 bridge-group 1
!
interface BVI1
 ip vrf forwarding myvrf
 ip address 10.123.0.2 255.255.255.0
!
router ospf 1 vrf myvrf
 router-id 10.123.0.2
 network 0.0.0.0 255.255.255.255 area 0
!
bridge 1 protocol ieee
bridge 1 route ip
end

Here is R3:

R3#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DROTHER    00:00:32    10.123.0.1      FastEthernet0/1
10.123.0.2        1   FULL/BDR        00:00:31    10.123.0.2      FastEthernet0/1

R3#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/2] via 10.123.0.1, 00:29:36, FastEthernet0/1

R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/117/176 ms
R3#

Similar configuration scenarios are included in both our RS and SC workbooks at INE.

Take a moment, and post your ideas on why the PING from R2 is failing, and thanks for taking the time to assist!

Best wishes, Keith

The best-selling Volume 2 practice lab workbook from INE has been updated with new, 2-hour Troubleshooting sections that mirror the actual Cisco Lab Exam. Labs 1 through 3 are published now to member accounts. More are on the way!

Do you want to watch Keith Barker solve the Lab 1 TS section? Check out the updated Interactive Video Companion! I will be demonstrating my approach to Lab 2 in that product next week.

Enjoy the updates everyone, and as always, thank you so much for choosing INE.

We are so thankful to all of the students that have helped shape the Interactive Video Companion for Volume 2 subscription. The latest new feature is the direct result of student feedback about the product as well as student input about the lab exam itself.

Feel free to test drive this new feature with the sample below. As always, enjoy!

Version 4 Challenge – MPLS L3 VPN Troubleshooting