Category: Personal

I passed the ARCH exam!

It’s been a while since I’ve posted something here. Multiple reasons of course, but lately I just had to focus on learning so much I didn’t take the time for it anymore. Why? Well since I got my CCNP almost three years ago, it had to be recertified. Together with my CCDA that presented the opportunity to gain a CCDP certification and renewing my CCNP at once by just taking one more exam: ARCH.

So it’s been done. Was it hard? I honestly don’t know. So much has changed this last year for me: how I look at my profession, how I look at learning, at certifications,… I can’t compare it anymore to past experiences. So many things I learned outside of the certification path that are so important to have insights as an engineer… Examples like TCP Windowing, ASIC behavior, VRF deployment, application behavior in LAN and WAN (Citrix, SCP, FTP, NTP, vMotion, SCCM), load balancing and SSL offloading, …

All I know that this was a lot of (useful) theory and I had to devise a plan to learn it all, which eventually succeeded. So besides the certification I improved my ability to learn with it. And that in turn gives me strength for the next one: CCIEv5.

Yes, there I said it. For over a year I kept doubting it a bit, saying I wanted it but not putting a date on it. That’s over now. In a month I’ll start preparing the written with hopefully the exam in the first quarter of 2015.

I am ready.


An update…

Well, I haven’t been active here for a while now. The problem is that, while I’m still learning a ton of things, it’s a lot of small things that I find hard to put in a blog post. For example: IS-IS basics, working different spanning-tree types in a network, fine tuning Wireshark, exploring EEM, and wondering what CCIEv5 will bring.

Yes, I’m still going for those numbers one day. Speculations for CCIEv5 are removal of some older topics such as frame relay and more focus of newer technologies. Since I’m working with many newer technologies I’m hoping it will work to my advantage when it’s finally announced.

Honestly, I can’t tell when this blog will be updated again. I’m hoping to find time and inspiration soon, but 1) this blog is a nice collection of information already even if inactive, and 2) learning technologies myself is still more important than putting them on a blog of course.

Greetings to all readers!

CCDA certified!

Yes, another certificate! I took the exam last Monday and I passed. Although I have to admit, I didn’t find this exam easy. At all. But it’s have to compare with past exams because I haven’t taken one in the last year and a half.

That’s also the reason why: my previous certificates will expire in a little over a year. I still want that CCIE but I’m becoming uncertain if I will get it by then, and my company expects a certificate every now and then.

Up next: most likely CCDP. It will require just one exam, ARCH, since I passed ROUTE and SWITCH less than three years ago, and it will recertify my CCNP as well.

As for the CCDA content: interesting and I really learned things, but it’s not one I’d recommend for any engineer. The Routing & Switching track is much more of a challenge.

Best luck to all studying out there!

Cisco Live 2013: a great experience.

Last week a colleague and I went to Cisco Live London 2013! Overall experience: great. I gained an impressive amount of knowledge in a short time, and writing all that down would generate enough blog posts for a year. We went to many different seminars that really went into the details. Too much to name, but a quick review of the impressive stuff I saw:

  • The launch of the Catalyst 3850 switch. I’m not going to read the data sheet, but quick overview: all 3750X functionality (StackWise, StackPower, hardware IPv6, QoS, redundant power and fans), 802.3at PoE+, 32k CAM table possible, integrated Wireless LAN Controller, up to 40 Gbps WLC throughput, and besides the 24 or 48 Gigabit ports up to 4x 10GE is possible in a SFP+ module. Very promising, although most functionality is expected for a next-generation switch, and I have yet to test it all in a production environment.
  • A seminar about the Nexus 6000 switch. Designed towards ultra low-latency implementations. While I did think initially that it would be of little use cost/benefits-wise outside of the trading and high computing markets, an article by Greg Ferro made me think about this again. Apparently he was there too in London. Worth the read.
  • The Nexus 7000 architecture seminar. This was a bit of a disappointment. Cisco’s flagship data center switch sounds like an elephant: huge, strong and loudly announcing it’s there, but too many features that aren’t ready yet, so watch out what you want to do with it. I noticed plenty of limitations on the current generation that will probably go unnoticed if you’re not using the Nexus to its full potential, but no one buys a Nexus 7000 just for basic switching.
  • Energywise fundamentals and deployment by John Parello. An unexpectedly useful technology, that I have working now (more about that in a later blog post). I find that this requires more attention and research.
  • FCoE practical lab: a complete overview of the technology, much more in-dept than my own brief review. Again an interesting technology that will prove useful when mastered. For practical implementation it requires a lot of planning and design in advance though.
  • Ultra Low Latency Data Center design: I already mentioned some details on latency in my article about fibers. Though not that important for me in practice, I learned some key points about latency.
  • Multicast troubleshooting: Luc De Ghein did a great explanation there, giving me insight into multicast inner workings.
  • Meet The Engineer meeting with Lars, an engineer sharing the same native language as I did who is a Catalyst 6500 switch expert. He provided me good insights with hardware and software ACLs and Control Plane Policing.
  • CCIE Troubleshooting lab: me and my colleague actually managed to solve part of it… But the 45 minutes time was just too short. A nice taste of things that may come for me one day.

For a network engineer this was a really great event, much to see, to learn, to experience. Probably a once-in-a-lifetime chance for me, and I don’t regret it.


I may have underestimated this.

I’m probably among the people with the most Cisco knowledge in my team and the only one studying for CCIE.

Yet I was outwitted twice this week by colleagues in troubleshooting, one of which in a pure Cisco design issue. And my CCIE Written test exams (Boson) showed me I was able to answer 40% of the questions correctly. I had expected 50% and up since CCNP would cover about half of it.

So here it is: I may have underestimated this CCIE study. Does that mean I’m giving up? No. But it does mean I’m going to do things differently. For CCIE Written, I dropped lab practice almost entirely, focusing only on theory, hoping to pass the Written fast (my personal deadline was before Cisco Live London this year, so Friday January 25th), then starting lab practice to get the hang of it, fine tuning my skills.

But it appears that’s not how reality works. It’s not even how my own mind works. I can’t study anything I don’t understand, so I’m going to have to do practical research before the Written. It showed clearly in my test results where I scored great on MPLS (which I have worked with), and utterly failed QoS (which I’ve learned, but never practised with).

So here’s the new plan:

  • No deadlines, just weekly progress.
  • Lab redesign/upgrade.
  • A few hours of dedicated lab time per week instead of erratic patches of free time where I randomly plug in some cables.
  • Research, research, research.

And as far as colleagues outwitting me goes: well done job, guys. I love to have a challenge and you’re surely providing me with one. Experience counts in this job, and I’m going to need years more to get that to a level where I would be satisfied with myself.

Some milestones passed.

It’s December 2012. Last year, I started my first days working as a network support engineer at my present job, so I no longer need to count my experience in months now.
Second: I achieved my CCNP certification on December 20th, 2011. A year can go fast – just two times more and I need to recertify if I don’t get anything equal or better by that time.
Third: the growth of my blog passed certain psychological borders: +30,000 total views, 100 blog posts (this is number 101) and I’m approaching (and at times surpassing) 1,000 visitors per week.

And what I’ve been doing lately? A brief review of what has been keeping me busy:

  • I had to test next-generation firewalls (NGFW) from different vendors and see what they are capable of. Personal achievement: all sales engineers have had sweat on their forehead from my questions. And not all products do what they advertise. I’m not sure if I can go into detail on that later, but I’ll try.
  • Research and design of an example MPLS network. Yes, I got to work with Cisco Metro Ethernet switches, and I’m going to post some articles about that later on.
  • My previous VPN articles: I have to admit, I wanted to post five, not four. The fifth article was going to be a site-to-site VPN on OpenBSD 5.2, but as much as I love that platform, I just can’t get it to work completely, and documentation is unclear. A shame really. If anyone has it working on a modern release (5.0 and up) and understands what (s)he is doing, you’re welcome to contact me.
  • Research into loop prevention, avoidance and limitation. Expect an upcoming article about that as well.

Thanks to all of you for reading my blog, and support in various forms (a comment, explanation, tips, links,…). Stay tuned!

A little bit of everything.

Yes, a bit of everything, that’s what it has been lately. First, I’m upgrading my home lab switches with more recent IOS versions. The 3560 on my desk can now run EIGRP for IPv6. My 2970 gigabit switch will follow tomorrow, with a K9 IOS this time to make it accessible via SSH.

Second is that I’ve been fine tuning my knowledge of layer 2 security features, using my 3560 desk switch and a 3750 test switch as subjects. RA Guard works great, and so does DHCP Snooping. DHCP Snooping has revealed a third functionality to me, next to countering rogue DHCP servers and preventing DHCP flooding: it also detects when a MAC address that sends an INFORM cannot be present on that port according to the mac address-table. It will generate a ‘%DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL’ message and drop the frame. Seems to be a functionality related to ARP Inspection.
And ARP Inspection, on the other hand, requires some planning of your DHCP servers: if multiple are present and they all reply at the same time, the DHCP Snooping feature, on which ARP Inspection relies, sometimes picks the wrong packet to add to it’s binding table. The client device selects another packet of the ones it received to configure itself, and thus ARP Inspection thinks there’s spoofing going on. I’m still figuring out how to effectively counter that.

Third is that I’ve ordered the CCIE Routing and Switching Certification Guide, 4th Edition hardcover, so I have a lot of reading to be done soon. I have to admit that I don’t like to read ebooks on a big screen so far, and I’m reluctant to buy a reader.
Yesterday I also tried a MPLS lab for the first time, with BGP-MP in GNS3. It did take me several hours but I managed to get it running. Not bad for never having done anything MPLS related before. Still, it’s a huge topic and I’ll need to learn a lot more about that.

And last, I tested an Aruba Remote Access Point (RAP). I’ve already tested Instant Access Points. The RAP works different: once booted, it needs an internet connection. When connecting a computer (it has LAN interfaces, just like a consumer-grade router), it redirects to a setup page, where you have to enter the public IP address of a Wireless LAN Controller (WLC). It then tries to negotiate a tunnel through NAT-T over UDP port 4500 to that WLC. It works by encapsulating IPsec in a UDP header, bypassing any NAT devices that are incapable of keeping the NAT state of IPsec.
The RAP tries to authenticate itself at the WLC using his MAC address. After whitelisting it and configuring a wireless profile (which contains the list of SSIDs to send out), I had to reboot the RAP. I ended up rebooting it several times, thinking it didn’t work, but eventually it turned out my cable had broken due to all the times I plugged it in and out again. The RAP booted fine and started sending out the correct SSIDs. Initially, the wireless connection didn’t hand out an IP to me, but after five minutes, everything suddenly got an IP and started working as if there had never been a problem. Not sure why this happened, although I suspect my NAT router of dropping some of the UDP packets (which wouldn’t be the first time).

A little bit of everything indeed.

I’ve been so busy lately that I hardly have time left to make a decent blog post. It might be best to stand still for a moment, take a deep breath, and recapitulate what has happened in the past months. By the end of 2011, I got CCNP certified, and around the same time, I got my first job in the networking field as a Network and Security Engineer in a data center. However, the fact that I’ve done little blog posts and haven’t studied much doesn’t mean that I haven’t learned. I’m now starting to have some basic experience with real world network situations, both by successful troubleshooting and, unfortunately, trial and error.

One of the questions that I asked myself recently is ‘Did my CCNP actually help in all this? Can I really use that knowledge in the field?’. Short answer: yes. Long answer: it depends. Since a data center generally puts emphasis on large layer 2 domains, and one of my projects involved a campus network for end users, I’ve mostly used my knowledge from the CCNP SWITCH course so far (I even have the book on my desk and consult it regularly). Port-channels, STP, and security features like 802.1x and DHCP Snooping have proven their worth already. My BPDU Guard implementation even stopped a loop when a few days after my configuration, an end-user connected both ports of a IP Phone to the wall plugs (and thus to the switch). Layer 3 (CCNP ROUTE) has been of less use to me, but that’s mainly because of the job I do. I can imagine working in a layer 3 infrastructure such as an ISP would certainly benefit from it.

What did provide me with an unexpected great help was my knowledge of VPN, which I got entirely from the CCNA Security course. Although it does not cover all possible VPN scenarios, it certainly helped understanding the fundamentals, the encryption mechanisms, and the tunnel creation. I’m sure it saved me days of looking through guides and documentation in an effort to understand it.
Lastly, I do have to add that while CCNP gave me an excellent start, it does not cover anything. A lot of devices I didn’t know yet when I started (see my post on Luckily, all these devices rely on the same basics and comply to the OSI model (most of the time).

Second question: ‘Did my lab prepare me for the real world?’ Well, this one is a bit of both. In most regards, it didn’t prepare me at all. There’s a vast difference between troubleshooting something in a lab environment, compared to a live environment. There’s a much higher risk that a command will impact traffic on the device you’re troubleshooting. Downtime is not an option. The situations also differ, as do the symptoms because a network under stress reacts different. It’s easy to do a packet capture in the lab, but finding that one meaningful packet in a sea of data on a live network is a whole different thing.
On the other hand, repeatedly typing all those commands, seeing the changes and output, and doing it over and over again, made me fast with the IOS. I don’t have to look for commands and I know which ‘show’ command gives me the required information. Originally I used the lab this way to do the CCNP exams fast and with confidence, but I can now use this in the real world too. In the middle of troubleshooting, it’s a skill that saves time.

And the third question that came to mind lately was: ‘Did I learn from my mistakes?’. I hope I did. I’m going to be fair and list my failures here, but also what I’ve learned from it:

  • Crashing a core switch on a campus LAN during ping and bandwidth tests.
    What I’ve learned: this one was a bug and in hindsight I couldn’t have known. Still, it did raise my awareness of the impact of bugs, and I try to make sure that everything I do, however small, will impact as few users as possible if something does go wrong.
  • Creating a loop on a campus LAN.
    What I’ve learned: double-check everything. While not directly due to my misconfiguration, I did miss a BPDU Filter command left on the switch a long time ago. If you’re going to make changes, check the ports. If you add/delete/move just one port in a port-channel, recheck all ports of the port-channel.
  • A switch not booting properly after an IOS upgrade.
    What I’ve learned: that I was right taking backups of the existing IOS and running-config right before the upgrade. So no failure here, but still good advice to anyone out there.

So this is how the ride has been so far. Did I have fun? Yes, it was very stressful at times, but I’m liking my job and I’m still learning a lot. Stay tuned, because I’m taking an IPv6 course at Cisco Systems in Brussels (yes, virtually next to the CCIE lab) and my next blog post will be IPv6 related!

So much to read!

I haven’t posted anything in a while, because I haven’t labbed anything lately. Instead, I’m trying to catch up on my reading. I’ve already mentioned on before that I check the CiscoPress eBook Deal of the Day every day, and over the last eight months, I’ve gathered quite a library of legal eBooks. So far, I haven’t finished a single one of these books, but I have read a lot of chapters in different ones. Let’s list it up (I like making lists):

  • Implementing Cisco Unified Communications Voice over IP and QoS (Cvoice) Foundation Learning Guide (CCNP Voice CVoice 642-437), 4th Edition
    The first purchase. I got tempted because I’ve got some IP Phones and QoS, especially combined with voice (as it most often is in reality) sounded like a good topic.
  • PKI Uncovered – Certificate-Based Security Solutions for Next-Generation Networks
    Initially an impulsive purchase, but I’m happy with it now as I find this topic difficult to understand (as do many, I notice), but it’s very useful to know when dealing with data security.
  • Enterprise Network Testing
    I bought this one halfway my CCNP studies. Since I hadn’t any experience at that moment, picking up some common practices would be nice.
  • IPv6 for Enterprise Networks
    It’s IPv6, one of my favorite topics. So that’s a perfect excuse to get out my wallet.
  • CCNP Security Secure 642-637 OCG
    With topics like DMVPN, SSLVPN and general security information, why wouldn’t this be good? I’ve got a CCNA Security so the exam is an option too.
  • CCDA 640-864 Official Certification Guide (OCG)
    I’m actually studying this now, it’s very theoretical but I like the design insights.
  • ARCH Foundation Learning Guide 642-874
    This one became Deal of the Day about two weeks after I found the CCDA OCG. I didn’t hesitate, with ROUTE and SWITCH already done for CCNP, with a bit of luck, this may help me get another professional-level certification.
  • Troubleshooting IP Routing Protocols (CCIE)
    A CCIE-level book shows up less than once a month, so I got tempted again.

The above eBooks where all Deal of the Day, so at $9.99, that’s $80 for eight books, two of which came with an exam simulator. Can’t beat that.

Apart from eBooks, I’ve got hard copies too: the three CCNP books and the CCNA Security OCG. Also, I had the chance to borrow a ‘NX-OS and Cisco Nexus Switching’ hard copy from work, which I’m reading right now. EIGRP is a hybrid routing protocol again according to this book. Seriously? But apart from that, the book is really interesting, showing what the Nexus is worth with secured BGP sessions, FCoE, vPC, and so on.

Now I’m off to read some more, and hopefully post something new and interesting next time!

My last blog post for 2011! Past days I’ve been playing games mostly, and reading some CCDA stuff. No labs for the weeks to come, I have to redesign my home lab first and integrate the access server.

I did still learn some small things this week:

  • A Cisco device without ‘ip routing’ enabled (like an unconfigured layer 3 switch) needs the command ‘ip default-gateway’ to be reachable from another subnet. But once ‘ip routing’ is enabled, this command no longer works, and it needs a default route for similar behavior.
  • Cisco PoE endspan devices (PoE capable switches) use PoE mode A, while midspan devices (PoE injectors) use PoE mode B.
  • I learned what SSL offloading is, and that it can be used together with an IDS/IPS for improved security.
  • 10 Gigabit Ethernet requires Cat6A UTP, and runs up to 100m. For 40 and 100 Gigabit there’s no cabling standard as far as I know.

Well, that’s it. Happy holidays to everybody!