CCIE Home Lab

So I’ve started with preparation for the CCIE Routing & Switching Lab exam. I passed the written exam in February already. Over the past few months I’ve been building my home lab. I sold all ISRs (7x 2801s and 2x 1841s) to build my lab. I’m saving a bit on electricity and can run other VMs on the server.

Equipment list:

  • 1x Codegen 4U-500 19 inch Rack: Spacious and can house the long Network Cards
  • 1x ASUS P8Z77 VLX  Motherboard
  • 2x 4GB Patriot G2 DDR3 1600Mhz RAM
  • 1x Intel I5 3.4 CPU
  • 1x 1TB HDD: This stores my VMs as well
  • 1x Sea Sonic M12-II-520 Power Supply – 520W
  • 1x D-Link DFE 570TX Network Card
  • 2x ADAPTEC ANA-6944A/TX Network Cards
  • 4x USB 2 Serial converters
  • 1x Cisco 3570 Switch
  • 1x Cisco 3560 Switch
  • 2x Cisco 3550 Switches
  • 27x Straight through cables
  • 3x Crossover cables
  • 3x Quad Port Network Cards
  • 1x 23″ LED Monitor

I had bought two of these cards: Silicom PXG6I-RoHS PCI-X SERVER Adapter 6 Ports. They are known to work. See https://learningnetwork.cisco.com/message/164475#164475

Problem is I bought a 3.3V 64bit instead of a 3.3V 32bit or 5V 32bit so they don’t fit on my MOBO. So they are just sitting in my study looking pretty

Also see these blogs below for more information:

http://gns3vault.com/Faq/ccie-lab-using-gns3-and-quad-nics-for-switches.html
http://mellowd.co.uk/ccie/?tag=ser2net

IMG_3096

IMG_3186

Advertisements

Frame Relay Configs on Cisco 7200 Routers

An email was sent out to engineers from the Infrastructure team a few days ago about this. I wasn’t really going to blog about it until I had to resolve a similar problem they emailed us about this morning. Colleague A did not attach a map-class to a frame relay interface on a 7200 and the link defaulted to a CIR of 56k

This caused mayhem as the customer could not access email, internet, erp etc. since the line was crap slow.

This below is the exact quote from the (technical savvy) Network Installations Manger:

When configuring frame-relay sub interfaces on 7200s please be aware that unlike the GSR, the 7200 does what is referred to as frame-relay traffic shaping. The command is active on the main interface and would apply to all sub interfaces. What this effectively means is that unlike the GSR where you only apply a policy-map to the frame-relay map class, you also need to make sure that your map-class has a CIR value set without which it will default to a default of 56K.

To give you an example take the following sub interface found on this PE router that does not have a map-class bound:

interface Serial6/0.641 point-to-point
description customer abc
bandwidth 64
ip vrf forwarding ABC
ip address xx.xx.xx.xx 255.255.255.252
ip verify unicast source reachable-via any
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 46
end

If you look carefully you will notice that the cir shows up as 56K meaning this sub interface is now rate-limited to 56K whether you meant to or not.

perouter#sh frame-relay pvc 46

PVC Statistics for interface Serial6/0 (Frame Relay DTE)

DLCI = 46, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial6/0.641
cir 56000 bc 7000 be 0 byte limit 875 interval 125
mincir 28000 byte increment 875 Adaptive Shaping none
pkts 6348746 bytes 1316027080 pkts delayed 407584 bytes delayed 214711938

This did not take a lot of time to fix, thanks to having received this email a few days prior

8 months on – lessons learned pt2

This is a short continuation from pt1:

Note: this has been stuck in my drafts for months. I’m bad at this ain’t I?

4. Access Switches – Cisco kicks HP’s Butt
With Cisco switches, you can set up QoS and be as granular as you need to. You can police traffic using parameters you deem perfect for that environment. Do you know how you set up QoS on HP switches? This is how: qos “type-of-service diff-services”. Yip that’s it folks. I used to think we use HP’s because they are way cheaper than Cisco 2960s for an example. It turns out, they are not. It still puzzles me why we use them. Ah well, at least you can set up vlans on it 🙂

5. Firewalls Hate Voice
Every voice engineer knows this. Unless the FW guy knows what he’s doing, you are in for a tough time. One of our customer has an asterisk server hosted at out DC and another one at site between the CE and Core switch. We had endless troubles trying to get voice to work there. We had end to end QoS; from CE to PE to voice breakout ports to Voice DC. From one way speech to dead air to “hey it’s working fine after we made changes on the FW” to “uhm it’s dead again”. Every time they made a FW change, one of these events took place. My little note to FW guys, if it’s working, don’t fiddle with it. I remember sitting with the CEO and his engineers trying to explain how QoS works and why it wasn’t the problem in that case.

6. Gui Still Sucks
For most of the MPLS routers and most tasks, we use an interface running on top of Oracle. I don’t have the indepth details of how this works so I can’t go deeper in explaining it. For All CE devices, it’s all CLI though, thankfully. I understand it’s there for a reason, which is to protect the network from Engineers who don’t know what they are doing. 99.9% of the time it works well but waiting for the script to run and activate in the background can take forever sometimes

I had to assist with a line upgrade for a customer who wanted to run voice and data on his line. This was going to be done after normal office hours. I had to update the Controller, re-do QoS, increase the bandwidth etc. It turns out another engineer was working on the same router before leaving at 5. Maybe he waited for his job to activate, maybe he didn’t. There were errors with his config and I couldn’t do anything on the GSR router until someone fixed his mistake. My script was just queuing there waiting for this genius engineer to fix his stuff up. Support had knocked off. So I sent an email to support and CC’d the engineers who use this tool and deleted his work. Not a good thing to do but something had to be done.

And remember absence of evidence is not necessarily evidence of absence. I don’t know why I said that. I just thought I’d put that out there for not particular reason

QoS Cheatsheet

Yay more QoS 🙂

I posted this on Pastebin a while ago but it’s been a mission to find. I’m posting it here as well to find it easily. Feel free to use it for your own benefit. I couldn’t find an easy way to post this so I had to put it into excel and snip it. Kinda sucks but… here goes

QoS Template

I wanted to post the template I use daily to configure customer CE devices daily. Having it here will make it easy to find. Feel free to use it for your own benefit. I’ll also post the QoS Cheat Sheet that I posted on pastebin a while ago

Access Lists:

ip access-list extended CE-INPUT-VVCC
permit tcp any any range 1718 1720
permit tcp any range 1718 1720 any
permit tcp any any eq 1731
permit tcp any eq 1731 any
permit tcp any any range 5060 5061
permit tcp any range 5060 5061 any
permit udp any any eq 5060
permit udp any eq 5060 any
permit udp any any eq 2727
permit udp any eq 2727 any
permit udp any any eq 2427
permit udp any eq 2427 any
permit udp any any range 1718 1720
permit udp any range 1718 1720 any
!
ip access-list extended CE-UDP-VOICE
permit udp any any range 16384 32767
permit udp any range 16384 32767 any
!
ip access-list extended CE-INPUT-PLATINUM
add “PLAT list here”
!
ip access-list extended CE-INPUT-GOLD
add “GOLD list here”
!
ip access-list extended CE-INPUT-SILVER
permit ip any any

Class Maps:

class-map match-any CE-OUTPUT-VOICE
match access-group name CE-UDP-VOICE
match ip dscp ef
match ip rtp 16384 16383
class-map match-any CE-OUTPUT-VVCC
match access-group name CE-OUTPUT-VVCC
match ip dscp af31
match ip dscp af33
class-map match-any CE-OUTPUT-PLATINUM
match dscp af21
match dscp af23
class-map match-any CE-OUTPUT-GOLD
match dscp af11
match dscp af13
class-map match-any CE-OUTPUT-SILVER
match ip dscp default
match ip dscp 4
!
class-map match-any CE-INPUT-VOICE
match access-group name CE-UDP-VOICE
match ip rtp 16384 16383
class-map match-any CE-INPUT-VVCC
match access-group name CE-INPUT-VVCC
class-map match-any CE-INPUT-PLATINUM
match access-group name CE-INPUT-PLATINUM
class-map match-any CE-INPUT-GOLD
match access-group name CE-INPUT-GOLD
class-map match-any CE-INPUT-SILVER
match access-group name CE-INPUT-SILVER
!

Service Policies:

int fas0/0
service-policy input CE-INPUT
!
int s0/3/0
service-policy output CE-OUTPUT
!

8 months on – lessons learned

Well, I’ve held the ‘voice project engineer’ position for the past 8 months. I’ve learned a lot of stuff here and I’m grateful for that. I’ve recently been given the responsibility of running with all our Hosted IP PABX (HIP)projects. Some have referred to me as the HIP Champ lol. This could be because of the potential they see or maybe the fact that I’m the new guy and the ‘old’ engineers hate anything that has to do with dealing with end users since they use our phones.

Anyway I thought I’d share some of the lessons learned and blunders and some unknown unknowns I’ve come across. Some are known knows :). These are really stupid mistakes and some I just didn’t know or wasn’t given all the info etc. I’m not making excuses though as a little research could’ve helped prevent these. I hope someone can learn from some of these and not make the same mistakes I have made. So here’s a short list below… in no particular order:

1. Secure SIP/Web trunks on PE devices with access lists
It seems someone tried to hack into a sip trunk I created for a customer in Germany terminating on one of our 7600 routers on our MPLS. They managed to register their device because the source ip (customer asterisk pabx) wasn’t explicitly defined in the ACL. No wait, there was no ACL to begin with. Feel free to ‘facepalm’ round about… now. They failed however to make calls using this trunk because the source number is explicitly defined on the ACME Session Border Controller.

2. Encapsulation (and compression)
If you are going to be setting up encapsulation and compression for voice calls remotely so they use 16k instead of 24k a call start with the CE. Yours truly changed encapsulation from HDLC to PPP on a PE device (GSR) first and then couldn’t get to the CE. I immediately changed it back and worked on the CE first. After this config, you’ll lose connectivity but applying the same config on the PE will result in getting access to the CE again. As a rule of thumb, If I have downtime, I always use the ‘reload in’ command without saving the config. As you know, this will reload the router in whatever minutes you’ve set in case you stuff up and can’t get to it.

3. Cisco Callmanager Still Rocks
I got a request from a customer who wants to restrict certain desk phones from being able to dial cellphones. Sounds easy right? Except the customer wants these phones to be able to call all 50 cellphone numbers that are on his speed dial. If you are a Cisco Voice person you’d immediately thing ‘translation patterns’ or maybe Calling Search Spaces and Partitions if you really wanted to get your hands dirty.

This is impossible with Broadsoft. Unless of course you define all the allowed cellphone numbers one by one and only give each user access to dial those. This is a lot of admin. At my previous employer I set up translation patterns and named the list an enterprise speed dial. I set up numbers that could be dialed from any phone. This was useful for security as they couldn’t dial cellphone numbers etc. This list had emergency numbers etc.

This is getting pretty long so part 2 will follow shortly

cucm install in vmware ntp issue

If you have installed cucm 8.0 upwards you’ll know that without a ‘valid’ ntp server, you can’t install cucm successfully. I had this little problem myself a few moments ago. There are posts online about tweaking your (windows) computer registry so that it acts an ntp server. I tried using public ntp servers but got inaccessible error messages.

I then tried tweaking the registry (yes I’m unfortunately using Windows) but got some access denied messages. Instead of cursing the IT Dept, I soldiered on. The next thing I thought of was connecting my PC to a router and then configuring it to behave as an ntp server.

Then it hit me; GNS3! So I setup a basic network with one router and a cloud – representing my PC. One day the word PC will be a thing of the past and be replaced by MBP :).
I made sure the router is in the same subnet as the cloud/pc virtual network card. Tested and voila.

A quick note why I’m fiddling around with cucm. Well, in the team I’m the only one who has worked on Cisco cucm so I get a lot of questions on it so I thought it wouldn’t be a bad idea to be able to lab this when I need some answers myself

See config and snapshots below:

ntp master
!
interface FastEthernet0/0
ip address 192.168.81.3 255.255.255.0
duplex auto
speed auto
!