Saturday, 24 May 2014

One day in Diegem

Well actually, it was 3 days in Diegem, but only 1 counts I guess.

The prequel to me taking the CCIE v4 lab, started back just before the v4 retirement date was announced.  I've been simply dipping my toe into CCIE material for a few years and I had to make a decision.  Do I continue to dance around the fringe of the CCIE without ever doing anything about it, or do I jump in now, ready or not, before the dates are eaten up and give the v4 a shot.

Well I opted for the latter.  I already had the written, so regardless of cost, I wanted to give this a one-time shot.  Most of my prep work and experience was based on v4 so it was now or never......well not really, but it felt like that.

I got myself the INE All Access Pass and I also managed to get a Cisco 360 subscription through my job.  The INE material, particularly the VoD's are really excellent.  Because I had both 360 and INE workbooks and with time being at a premium, I decided to put my primary efforts into the 360 workbooks, thinking that they might give a more accurate representation of the actual lab and therefore I (regretfully) didn't make as much use of the INE work books as I would have liked.  Sadly, IMO, the 360 assessment labs fell well below the standard of the actual lab, or at least the lab I got on the day.

So I landed in Brussels early Saturday morning 17th May, only a short(ish) hop from Dublin.  I got some supplies and spent Saturday and Sunday in my hotel (NH Hotel) room, reading and watching some VoD's etc.  Thinking back, nothing was really going in, but it was still the best preparation (for me anyway).  Keeping myself emersed in the study mindset was the best way to keep me zoned in and also calm.  Did I feel 100% I feel confident........yes.  I didn't want to fall into the trap of assuming failure on the first attempt, I like to think positive.  Although, when I say I didn't feel prepared, I mean, what I did know, I knew well but I most certainly didn't have all the bases covered.  There was huge gaps and I was very aware of this as well.  And the source of my confidence came from my Cisco360 assessment performances.  I was passing the TS labs well, and I was hitting ~70% average on the config labs.  I was thinking that if the real lab is in anyway comparable to the Cisco360 assessment labs, then I might have an outside chance.  As I've already said, that wasn't quite the case.

Fast forward to 08:15 Monday morning.  The proctor meets us, gives us the run down, assigns us our racks and tells us to log in with our email address.  I move the mouse to click into the login box, and the mouse crawls across the screen.  I'm thinking "not ideal, but no biggie".  So I go to type my email address, my fingers are hitting the keyboard and only every second or third letter is appearing.  How hard to I have to hit these keys to trigger a response, pretty hard it seems.  The keys were ridiculously under-sensitive, and the spacebar was ridiculously over-sensitive.  So I ended up with "con ft", "cnf t", "onf t" etc etc over and over again.  I'm just not used to typing that hard on the keyboard and I found it so so difficult.  It slowed me down greatly, and during the TS section, this was the killer.  Maybe I just got a poor keyboard or maybe the Logitech K120 keyboard is just like that, but when I asked the other first timers later in the day, what they thought of it, they had the same experience.  I have read about the keyboard from others' experience, but most are referring to the actual layout (US Layout).  But that wasn't the part I had trouble with.  Maybe I could have asked the proctor for a new one, I don't know?  During the TS where time is not on your side, I just wanted to push through.

As for the lab delivery system itself, I'm used to high resolution, small font kinda stuff.  I like things to fit into my field of vision, without having to scroll around too much.  Well, there was a log of scrolling, even to get from one side of the topology to the other.  Things were just big to look at.

We were allowed to take drinks to the desk, but nothing else.  No pens/pencils.  However the provided ones were beyond useless.  I took some from vacant desk and these were a little (not much) better. 

And to top it all off, well all lost our racks for 1hr in the afternoon, some technical issue that had the proctor running about.  Luckily, there was no reload required, so nobody lost anything.  I just didn't feel comfortable at all.  I couldn't get into any stride or momentum, I just couldn't keep my head in the game. 

I don't think there's any NDA issue here, but for the lab itself, I was surprised at the volume of configurations per task.  I was used to labbing 2-3 configurations per task for the awarded points.  What I got was 5-6 configuration per task.  Again, maybe that was the particular lab I got on the day, or maybe that's the norm.  I've nothing to compare it to, so maybe others can chime in.  It just seemed to go on forever.

You're probably thinking, yeah yeah, you failed, blame the keyboard, excuses excuses.........  But no, I have no excuses.  Technically, I didn't have it on the day, and I know that.  I think if I didn't have the keyboard distraction, I could have passed the TS, but from what was in the configuration section, even if I didn't have those small distractions, I didn't have what it would have taken to get 80%.  I might have done better than I did, but I wouldn't have passed it.

Maybe with v5, things will be different.  Maybe the delivery system will be improved or maybe simply my preparation should be improved, who knows.  I didn't see "new keyboards" on the v5 blueprint, so I guess you just have to use what you're given on the day.  What I will say though is that for something that people but so much time effort and money into, the quality of the equipment shouldn't be the talking point.  And just to make the point that I wasn't the only one talking about it on the day.

But with all said and done, I came away from the attempt with a new lease of life for v5.  I want to do it and do it properly.  I've blown the dust of the blog (actually I moved and renamed it) and I hope to cover all the blueprint topics for both the written and lab and keep them here for my own benefit.  I also need to get into some python programming which I may cover here as well.  Who knows, this might be the last post..........

C ya,


Saturday, 27 August 2011

All style, no substance


I haven’t sat down to blog about anything in a while but I read an article recently about the age old Certification argument. I was posting a reply and thought I’d blog it instead. In summary, the article goes into the value of vendor certs and reading between the lines, the abuse of vendor certs. My personal vendor experience is with Cisco but the same applies across the market.

I can see both sides of this argument - it's chicken and egg stuff. Do I get the certs to get the interview or do I get the experience to get the job. The harsh reality is that you'll need both. Just because you have a CCNA and just because the employer is seeking a CCNA, doesn't make you shoe-in for the job. The same goes for CCNP and CCIE and pretty much every other vendor cert out there.

Let's be honest here, if someone wants a cert, there are various ways and means of getting that cert without having to even open a book. That is the real, however unfortunate truth. I interviewed a guy recently who's CV stated he had CCNP/CCVP/CCIP/CCDP, amongst a lot of other MS certs as well. It had everything, to the point where it was almost suspicious but I suppose you have to believe it’s all genuine until you can prove otherwise.

I was interviewing him for a Voice Engineer job. It was just a phone screen but from the outset I could tell that he didn’t really understand networking fundamentals. The basic operation of a layer2 switch should be easy pickings for any good CCNA was lost on him. Likewise, the role that ARP plays in a network was a mystery. I then asked him how his IP Addressing skill were, and he said, and I quote “they’re good - if you ask me about any subnet I’ll tell you how may hosts that subnet has” – sounds strangely familiar. Unfortunately (for him) I asked him to split a Class B network in 4 equal subnets and give the subnet mask used. I could hear him messing with a keyboard (calculator presumably) and uttering stuff himself. I gave him a couple of minutes and he eventually said “I don’t know”. My aim wasn’t necessarily to get the answer from him but for him to at least demonstrate that he knew the basic process.

The next question nearly sent me over the edge. On his CV, in BIG BOLD CAPITAL LETTERS, was CCIP. Now I don’t have a CCIP but I do know what it is and what’s contained in it. Because I don’t have much BGP/MPLS experience, there’s was only so far I could take it, but as it turned out, I didn’t need to take it far. I gave him an example of two directly connected routers with an eBGP peering and a question about update-source. He very quickly told me that the example I gave him should be an iBGP relationship and not an eBGP relationship. We left that one there. I asked him the difference between LDP and TDP and he didn’t know what they were. So I queried the fact that he had a CCIP, and he very nonchalantly replied “yes, but I only studied the theory”. I felt like saying “by theory, of course you mean T*King”. We continued the interview and he did have some voice experience and did well in some areas but nowhere near CCVP level. But at this stage I just lost interest in him. He could have demonstrated CCIE level knowledge in voice, but I felt lied to, bordering on insulted, the damage had been done.

Now I wasn’t setting out to trip this guy up nor catch him out but I believe that if you have it on your CV, then it’s fair game. You might argue why was I quizzing him on CCNP/CCIP when I was interviewing him for a CCVP position. Well if you drive a car, you should know how to pump petrol or change a tyre, but they don’t test you on it. Again, if it’s on your CV then why not.

I’ve kind of gone off the point a bit here but what I wanted to get across was that you can have as many certs as you like but without the experience, or basic knowledge for that matter, to back them up, they’ll only serve as windows dressing for your CV. Few, if any employer will take your CV at face value and automatically believe unconditionally what’s in it is true. And you can bet for most technical jobs at most levels, there’ll be a technical screen. So why - what’s the point??

If I were to play Devil’s Advocate for a second, you could argue that if you’re employed by a vendor partner and the value of the cert outweighs the value of the knowledge then that could be reason why. Because certs count for a lot in partner-vendor relationships. But you’re still cheating yourself. If you’re actively looking for employment, and you sprinkle your CV with certs that you don’t have the knowledge to back them up, you’re insulting the intelligence of the people you’re applying to, you’re embarrassing yourself and you’re wasting everyone else’s valuable time.

And that was only the first interview…………………….

Blogging is so therapeutic :-)

Monday, 28 February 2011

Taking a step back.........

So I’ve been doing a lot of thinking about my pursuit of a CCIE. I have a lot of CCIE study material that I’ve purchased over the last year or so, thinking that if I make the investment that will give me the impetus to push on and keep my head down. Every minute I’m reading and studying this stuff, I’m loving it. So what’s the problem I ask myself? I also ask myself – what is the definition of a CCIE. What’s your definition of a CCIE? What do you believe a CCIE represents?

I’m not a certification junkie. I used to be……when I was in the Microsoft world. The more certs you had under your belt the better you were, or perceived to be. It was all about the certs and nothing else. Does the quantity of certs an individual has necessarily equate to how good they are?? Sometimes, but it’s not an exact formula.

Since coming into the networking arena and pursuing Cisco certifications, it gradually stopped being about the certification and started being about the knowledge. It’s no longer about the four letters CCNA, CCNP, CCIE or whatever, it’s about achieving a specific level of knowledge and then using and improving on it. What I mean by that is of course the certs are important as a goal but understanding it is more important. There are countless engineers out there who are not CCIE’s, not even CCNP’s, but who have knowledge that would put even the most experienced CCIE to shame. That being said, I think the certifications are important to give you a direction to work towards but they should come as a bi-product of the knowledge, not the other way around.

I’ve had to take a step back from it all and assess the reality of the situation. I’ve come to the conclusion that I’ve too much going on at home, too much going on at work and I simply do not have the commitment required to go head strong into CCIE certification. And if I’m being really honest with myself, I don’t think I have enough of a foundation on which to build up to CCIE level. It’s about broadening and increasing my knowledge which will ultimately make me a better Network Engineer and give me a better foundation to build on. Don’t get me wrong, I do still want to go down the CCIE route but I think I’ll take the scenic route.

I completed my CCNP 3 years ago which was a labour of love. I genuinely did enjoy it and this is the area where I really want to be. This has since been recertified by the completion of the CCVP recently. I did enjoy most aspects of the CCVP, but it was mainly employer driven and not personally driven – big difference. My main day to day role is currently in voice so the CCVP wasn’t just a certification, it was applicable and I did (and do) apply the knowledge to my every day job. But I believe you really need to have a passion for this stuff to really enjoy it. If you really enjoy it, I think you see past the certification. You don’t forget about it obviously, but it’s not the main driving force keeping you churning. Unless you’re walking in the door to take your CCIE Lab – at that stage it IS about the 4 letters and the digits that follow it.

So as a refresher, I think it might be beneficial to recertify my CCNP with the new track of exams. But along with this I’m looking at increasing my fundamental design knowledge. So I’ll get some CCDA material and begin around that. And presuming I complete ROUTE and SWITCH, I may look at CCDP material and continue on with the design side of things. So after the earlier rant about not wanting to follow the four letters, I’ve just mentioned 3 different certifications in the one paragraph. But as I said, it’s about setting a goal to reach and giving yourself a direction to follow.

Each blog I read, every tweet I see or podcast I listen to just serves as a reminder of how much work is involved in achieving the expert level of knowledge required for CCIE certification. It also reminds me how far away I am from that level. So I think I’m somewhat lost at the moment. CCIE is not a realistic goal for me right now even though I still have the hunger for it, so maybe the stepping stones of the CCNP and CCDP over the next year or so will allow me to maintain the hunger for it. The “Baby steps” approach! Maybe take it further and go for the written as well just as a taster but it will be a couple of years before I can realistically commit the time required for the lab.

Speaking of hunger……………….

Tuesday, 25 January 2011

Should every "Study Blog" have a disclamier...?

So I'm getting into the groove with the whole "Study by Blogging" technique. I find I do a lot more research and information gathering than I would if I was just note taking. I also spend time lab-ing stuff so I can use screen shots of debugs etc in the post and diagramming it all in Visio for the same reason. I asked myself why.........and the answer I gave myself is that I want to know it as well as I can but more importantly, I don't want to embarrass myself by "publishing" information that's wrong. I'm not against constructive criticism, but no one likes to think they're being laughed at - even if they're not. Not that many people are following this blog, but at the same time, a quick Google search may drop this site in your lap regardless of whether you're following it or not. Maybe that's the incentive of "Slogging" (Study by Blogging - get it??...uugghh), there's more pressure on you to be factually correct because this is stuff you're putting into the public domain.

As I mentioned, there's not many following this blog, there isn't a lot to read right now. But there are blogs out there that I follow, as do A LOT of other people in the same situation as me. Even if you're not studying, if you're just looking up a topic or refreshing your memory, these blogs are an absolute priceless resource. But are they, or should they be treated as authoritative sources of information?? I suppose the answer is that some are and some aren't - not a very helpful answer. But I think if you've been around long enough, you'll have a good idea of what sources you can trust. I suppose you have to do your due diligence as well - source your information from more than one source. There's a lot of misinformation out there, not intentionally misleading the reader but just interpreted wrong and put on a blog and some student uses it as a learning reference.

What I like to be able to do while writing something up is reference, certification books, Wikipedia, blogs and labs etc....until I'm comfortable that I feel I have a clear understanding of what I'm writing down. And if I have some conflicting information I dig deeper to fine out what's right and what's not. However this blog is about me keeping study notes. Maybe I should also make it clear that although I make every effort to ensure that the information in the posts is correct, it's certainly vulnerable to errors. And it most certainly is not an authoritative source of information. And why wouldn't I make every effort to ensure it's correct, if I don't put the work in to ensure it's correct, then I'm the one learning it incorrectly and ultimately the biggest looser.

I'm just reading back over the above and I'm not too sure where this rant has come from. Maybe it's a lack on confidence in my own abilities. Or maybe I just don't want someone using this information for it to turn out not to be 100% correct. I haven't been a victim of misinformation (that I know of). But I suppose as someone who is putting information into the public domain, regardless of whether it's for my own consumption or not, I feel I should have responsibility to ensure that visitors to the site know that it's just my mind on paper. I can't and don't claim that it's all correct.

So this is my disclaimer :-)

End Rant.......

What do you think? As always, your thoughts and comments are welcome.

Wednesday, 19 January 2011

Packet Capture feature of GNS3

Just a quick note to tell you what I learned today....

So I was planning some GNS3 labs around OSPF LSA Types 1 & 2 and I was thinking - OK it would be nice to post some Wireshark screenshots of the innards of an Link State Update packet. I was thinking I'd have to break open my hardware lab and setup a SPAN port and monitor the 3 ports of an OSPF broadcast segment. As luck would have it, I said I'd quickly google "packet capture GNS3" just to see what others are doing.

And there you have it - what others are doing is right-clicking an interface link (G/F/Ethernet or Serial or otherwise) and click capture. And that's it - up pops Wireshark (if you have it installed) and away it goes. One thing it doesn't appear to do auto refresh, you have to continuously press CTRL-R.

And that's what I learned today........

Friday, 17 December 2010

CCIE Study Notes - How do you keep yours??

Hi Guys - I hope this finds you well :-)

I'm looking for some recommendations or suggestions on how to keep notes for studying CCIE R&S. I will be blogging but I'm a real pen&paper man. Need to write it to remember it, then blog it to solidify it

Did you buy a bunch of writing pads and just start scribbling, or did you separate your notepads into technologies or topics. Or did you just type away at your laptop and hit save??

For my CCNP, I just started scribbling on the next black page depending on whatever topic I was studying. This resulted in OSPF Area Types being stuck in the middle of Multicast RP's etc.... That's why whenever someone asks me about Type 7 LSA's, I think........Sparse Mode!!

I know everyone is different so I'm just looking for ideas or how you did. It’s not specific to CCIE either.....

Thanks in advance,


Friday, 26 November 2010

Beware - IOS Object Groups for ACL's are BAD

Over the past few days, I’ve been working on replacing a customer’s ASA5505 with an all singing all dancing 2951 ISR. They have 3 internet connections terminating on the box and because the ASA doesn’t do PBR (that I’m told anyway) we’re policy routing certain traffic to certain internet based hosts out certain links. And with that, a raft of rules that need to come over from the ASA as well as multiple IPSec site to site VPNs coming in on different interfaces.

So the ASA is what it is, object groups are bread and butter stuff for the ASA and although not necessarily a new feature on IOS, object groups traditionally have not been used as much. So when it came to translate the config over from the ASA to the router I thought “Thank God for Object Groups for ACL’s”. After the trouble I’ve had I’m thinking “I shake my fist at you Object Groups for ACL’s”.

It all started a couple of weeks ago. Because of the nature of this particular business, downtime windows are quite few and far between. So we said 6pm for 2 hrs, I said that’s tight but once everything works it should be just a bit of fine tuning. So initially what I wanted to do was get the LAN and 3 WAN interfaces functional. So up came the 3 WAN i/f, up came my SLA’s and tracked routes and I could ping out all 3 WAN i/f’s. OK, now I’ll apply the crypto map to the 3 WAN’s and bang………………….down went my tracked routes and down went all connectivity to the outside world. I thought – Oh NAT, thinking I’d made a typo in one of the crypto ACLs that included an “ip any any” pushing all traffic through the tunnel. I checked, checked and checked again (I’m a bit OCD, I have to do everything 3 times) but I couldn’t see anything wrong. Literally, with the crypto maps on, noting could get in/out of the WAN’s. Admittedly, I thought BUG……this was 15.1 IOS on the 2951 ISR, relatively new. I didn’t spend too much time troubleshooting as we were nearing the critical point of the downtime windows where we would have to start moving stuff back. My confidence in 15.1 was immediately shattered so I called a halt and advised the customer that it would be prudent to get a TAC case logged to see what they think.

Next day, a very nice guy from TAC pointed me to . Object Groups-based ACL’s are not supported with IPSec. Well thank you very much. Object groups were introduced around the 12.2 era, you would think that someone might have thought it a good idea to put a little warning into the IOS to say that they’re not supported with crypto-maps.

So we got over that hump by simply creating new ACL’s for the crypto maps. Next window of opportunity, same deal, 2-3 hours this time. So up came the interfaces on went the crypto maps, yey…….QM_IDLE everywhere. A lot of testing, correct traffic passing over the tunnels, getting responses……I like.

Now onto my PBR. General web traffic to go out one interface, certain web traffic to certain hosts go out another interface. As well as this, web based applications used over the site2site vpns needed to be unaffected…that’s fine, I denied the LAN > remote subnets in the route map ACL. So on went my policy map……..nothing. Everything was still going out the default route. I checked, checked and checked again (OCD) and the ACL for the route maps were bang on. I was getting matches against the route map and matches against the denys on the ACL. But I was no longer getting matches on the permit in the route map ACL….WTF. For some reason, even though the deny statements only specified the LAN > remote vpn subnet for all the VPN’s, everything was being matched. I removed all the deny statements and things started to go out the correct interface. But as soon as I put even one deny in, it caught everything, which denied it in the route map and simply routed it normally – out the default route. What was the problem……………I had used object groups in the route map ACL for the deny statements. Once I removed the deny statements and added them in manually with each subnet specified instead of object groups, I started to see what I wanted to see.

At this stage, we had everything working and I was tidying up the config a bit, testing SSH externally to one interface to make sure that I couldn’t get it. SSH on this particular interface is NAT’s into a host and is locked down via the OUTSIDE ACL to allow only certain IP’s in. I could get into it. I thought maybe I’d forgot to pt a deny into the OUTSIDE ACL but no it was there. There was a permit to allow SSH from those specific IP’s of which I was not one of. I wasn’t even getting matches against the deny statement. I turned on logging for the deny statements, including the “deny ip any any” at the end and on the SSH permit statement to see where the SSH was getting in. I flipped open “terminal monitor” expecting to have to sift my way through the many deny statements being generated by the “deny ip any any log” at the end of my OUTSIDE ACL…….nothing. I started to look at eh ACL for matches against the “deny ip any any” and the counter wasn’t incrementing. I thought OK, it’s 8pm but surely somebody on the internet is trying to get this IP!! So I did a shields up test, and my ports came back as closed, not stealth. Closed just means they’re not being NAT’d in. If the “deny ip any any” was working, they should report as stealth. Only one object group was present in my OUTSIDE ACL, which was a service group allowing HTTP, HTTPS and SMTP into the WAN interfaces. This quite unassuming statement was permitting everything to hit the WAN interfaces. I removed it, configured the ACL entries manually with the IP addresses and all of a sudden, my console starts erupting with DENY log messages…..which is good.

My lesson for the day – don’t trust Object Group-based ACL’s in the IOS. Seriously, don’t!! It might save your life one day!!