Wednesday, March 28, 2018

CCIE Bootcamps: INE or Micronics

tl;dr:
No "bootcamp" will prepare you for any exam. You have to prepare yourself. A bootcamp is there to run you through the paces to make sure you aren't lying to yourself. The experience is what you make of it. I used it as fuel to keep pace for as long as I can.

So, you're thinking about taking a CCIE boot camp and you've looked at a few training vendors but you aren't sure which one to choose and with the price of a boot camp roughly between $4000 - $6000, you want to make sure you choose correctly.

I'm fortunate enough to have been to an INE boot camp in North Carolina August 2017 and a Micronics Training boot camp March 2018 in Herndon, Virginia.

The INE boot camp was a 5 day CCIE Fundamentals boot camp led by Rohit Pardasani and the Micronics bootcamp was an 8 day "No Excuses" CCIE boot camp focusing on the CCIE Lab Exam led by Narbik Kocharins.

Prior to my first boot camp I purchased the Cisco Press CCIE Official Certificate Guide (authored by Narbik Kocharians of Micronics Training and others). I had spent a few hours a week reading and thumbing through the book. I was never good at studying in this manner. I currently held a CCNP R&S and wasn't sure what I didn't know or what I needed to know to take the next step in my certification journey. The opportunity arose for me to attend a boot camp and I thought it would be better for me the learn that way, not being distracted by day-to-day life and be hands on.

INE

This was the first boot camp style training I had been to, I wasn't sure what to expect but I had an open mind and was eager to make the best of my experience. This boot camp was held in INE's offices at RTP(Research Triangle Park) North Carolina. I stayed at the adjacent hotel so I could walk back and fourth to the venue. The class was led by Rohit Pardasani a 4xCCIE. I used this event to kick-start my studying. This class is a preparation for the CCIE written exam. This was a podium style instructor lead class, although there wasn't an actual podium. There was a raised table with enough room for the instructors laptop and peripherals. To the the left and right of the table were projector screens each broadcasted the instructors desktop. Rohit used a number of digital teaching aids, while giving a lecture or going over topologies. He frequently used a Wacom Tablet allowing him to digitally draw on his screen. Rohit did not use any of the pre-canned INE slide presentations.(IIRC) We each got our own login to INE virtual training environment, this consisted of the virtual routers and switches used throughout the week. I believe the routers were Cisco CSR1000v's, hosted on a Vmware backend. We never interfaced with a backed, we only telnet/SSH into each device and work through our labs. For being a "foundations" class and a preparation for the written it was ~70% hands-on in the Cisco cli.

  • The schedule: between 8 - 10 hours days
  • The style: Instructor led lecture with hands-on labs
  • The size: the class I attended had around ~15 attendees.
  • Who should attend: anyone looking to kick-start their CCIE studies.
  • Was I ready for the CCIE Written afterward: NO
  • Was this helpful towards achieving my goals: Yes.


I really learned alot. I learned many advanced topics that weren't introduced in CCNP materials. I discovered my deficiencies and it drove me to really dive in deep.

You should be proficient in routing and switching before taking this class.

One day during the bootcamp we were going over OSPF and I was getting lost in the network types, Area Types and LSA's. I went back to the hotel and watched Narbiks OSPF video(https://www.youtube.com/watch?v=cM3OI_ZyRuQ) twice back to back. I felt it was really helpful and planted the seed in my head for signing up to his bootcamp when the time comes. The next day I felt much more aware of OSPF and felt I understood the lessons better.

After the bootcamp ended I started the INE Advanced Technologies Workbook and as of this writing I am nearly finished all the topics. It has been really helpful to follow-up the bootcamp with 6 months of self-study.


...6 Months Later...

Micronics Training

The "No Excuses" 8 day boot camp was held at Cisco's corporate building in Herndon, VA, although this training was not produced by Cisco it was held at their facility in one of there meeting rooms. I stayed at the hotel down the street and if not for the freezing weather I would have walked back and forth each day. The class was led by Narbik Kocharians a 3xCCIE, and owner of Micronics Training. Throughout class we leveraged 3 training environments. There was a real-hardware environment we leveraged for some labs. There was a virtual environment hosted on an EVE-NG/UNETLABS platform we used for directed activities and Narbik's own labs. We also, as part of our bootcamp package, received 100-hours and 10 labs on Cisco 360 (https://expert-level-training.cisco.com/), which included some graded/timed assessments.

  • The schedule: it varied and was based on the classes pace
    • Day 1 - 13 hours
    • Day 2 - 14 hours
    • Day 3 - 17 hours
    • Day 4 - 19 hours 
    • Days 5 through 8 were a blur and I don't recall how many hours we put in.
  • The style: Narbik leads the class in instructions using wall-to-wall white boards. He does NOT use projectors and doesn't spend anytime at the CLI. (This is stated on his website as well)
  • The size: there were 22 students on day 1 and I believe there were 19 remain at the end.
  • Who should attend: any one preparing for their CCIE Lab Exam who has already put in the requisite hours to be proficient in most of technologies. This class should be used to find out where your weak points are and learn the pace necessary to pass the CCIE Lab exam. You should be within 1 month of your exam.
  • Was I ready to take the CCIE Lab Exam afterward: NO.
  • Was this helpful towards achieving my goals: Yes.


Throughout the week as Narbik would go over the material I was happy to see I wasn't surprised by any technology or configuration. I felt I was well prepared, far beyond where I was 6 months prior. If not for my previous bootcamp and my 6-months self-study I would not have made it past Day 1. At the end of Day 1 we had a graded assessment lab on Cisco 360. It was an eye opener to see the pace of the lab and the depth of technologies used... the Day 1 lab was the easy one, and it only got harder. By the end of the bootcamp we were doing full-scale ~30 devices Cisco 360 graded lab assessments, in just a few hours(4 - 6 hours). I really enjoyed pushing myself to the limit and completely immersing myself in the technologies and labs, that's the environment bootcamps give. Narbik whiteboards everything and I enjoyed that approach. Infact I whiteboard nearly everything at work so, I'm a fan of the style but, I would have benefited, if he used a projector to give a demonstration of a configs we were working with. That's only my opinion because that's how I'm comfortable learning. Narbik try's to push everyone to think outside the box. He likes to give a task and take away all the obvious and basic options. Overall Narbik was great... we laughed, we learned and we laughed some more. It was a fantastic experience and I highly recommend it to all who are ready.

Cisco 360: I don't have much of an opinion on this having only used it during Narbiks class, but I definitely will be purchasing a few more graded full-scale exams prior to my being ready for the Lab Exam. 

The Cisco 360 labs had an added value for me: When you're labbing at home you aren't pushing your self as hard as you would when your in a room with 20 other people all trying to get the highest score in a timed event. That really helped me to build a strategy around taking the CCIE Lab Exam. It showed me how detrimental it can be to get stuck on a single item and waste your time on it. Read the entire sub-section before you start. Have a strategy and be prepared to move on if you get stuck.

If you have not prepared yourself, you will not keep up.

What I've Learned:

No "bootcamp" will prepare you for any exam. You have to prepare yourself. A bootcamp is there to run you through the paces to make sure you aren't lying to yourself. The experience is what you make of it. I used it as fuel to keep pace for as long as I can.

Each boot camp I attended I felt "here are my people". People who are serious about achieving CCIE, are passionate about what they are doing and we can recognize each other. It's a great experience going to a bootcamp and I hope to make it back around again before it's my turn to take the lab exam.

The title of this blogpost is "CCIE Bootcamps: INE or Micronics" and sadly it's misleading. It should read "CCIE Bootcamps: INE and Micronics" because that's what I really think. I think there is real value to seeing similar topic talked about and demonstrated from different points of view with different explanations.

If you had to choose only one you should ask yourself are you at the beginning of your studies or near the end?
Posted by at No comments:
Labels: , , ,

Sunday, March 25, 2018

LinkedIn Challenge - "Z" Lab

This was a fun lab. I thought I had a solution immediately but encountered a few problems. I'll write those up separately. In this post I'll demonstrate the configs and verification.

There are 3 routing protocols running: RIPv2, OSPF, and EIGRP. In order to accomplish the below solution we must implement VRF-lite and mutual-redistribution between neighboring protocols.



The Topology:


The Solution:


My EVE-NG Topology:


To do this we should break this down into a few manageable chunks.

  1. Interface/VRF configuration
  2. Basic Routing Protocols Neighbor/Adjacencies
  3. Route Redistribution
  4. Test/Verify

Initial configs:

Interface configurations and Basic VRF creation. For this basic VRF configuration you do NOT need to configure a route-distinguisher or route-targets.

R1:


hostname R1


ip vrf ospf-to-eigrp
exit


interface Loopback1
 no shutdown
 ip address 1.1.1.1 255.255.255.255


interface GigabitEthernet0/0
 no shutdown
 ip address 10.1.11.1 255.255.255.0

interface GigabitEthernet0/1
 no shutdown
 ip vrf forwarding ospf-to-eigrp
 ip address 10.1.22.1 255.255.255.0


interface GigabitEthernet0/2
 no shutdown
 ip vrf forwarding ospf-to-eigrp
 ip address 10.1.33.1 255.255.255.0

R2:


hostname R2


ip vrf eigrp
exit


interface Loopback2
 no shutdown
 ip vrf forwarding eigrp
 ip address 2.2.2.2 255.255.255.255


interface GigabitEthernet0/0
 no shutdown
 ip address 10.1.11.2 255.255.255.0


interface GigabitEthernet0/1
 no shutdown
 ip address 10.1.22.2 255.255.255.0


interface GigabitEthernet0/2
 no shutdown
 ip vrf forwarding eigrp
 ip address 10.1.33.2 255.255.255.0

Verify:

At this point you should be able to ping all directly connected interfaces. 

NOTE: If you have not used VRF's before you must know this "IF YOU DON'T INCLUDE A VRF YOU ARE USING THE GLOBAL ROUTING TABLE"

Pay close attention to the ping verification commands below.  We will ping in order from our lab starting with the first link, then the second link, then the third.

From R1:

! ping the next-hop upstream from the global routing table
ping 10.1.11.2

From R2:

! ping the next-hop upstream from the global routing table
ping 10.1.22.1

From R1:

! ping the next-hop upstream from the ospf-to-eigrp VRF
ping vrf ospf-to-eigrp 10.1.33.2

Routing Protocols

Now, lets introduce our routing protocols. For OSPF on R1 I am using the "network" command and on R2 I am using interface config level commands to activate OSPF.

  • RIPv2 (GRT) R1 <--> R2 (GRT) RIPv2
  • OSPF (VRF: ospf-to-eigrp) R1<--> R2 (GRT) OSPF
  • EIGRP (VRF: ospf-to-eigrp) R1 <--> R2 (VRF: eigrp) EIGRP

R1:


! We will put all routing protocols needed for the entire lab in this single step.

router rip
 version 2
 network 1.0.0.0
 network 10.0.0.0


! I am using the router config based "network" command to 
! activate OSPF on the correct interface.

router ospf 1 vrf ospf-to-eigrp
 router-id 1.1.1.1
 network 10.1.22.1 0.0.0.0 area 0


router eigrp 1
 !
 address-family ipv4 vrf ospf-to-eigrp autonomous-system 1
  network 10.1.33.1 0.0.0.0
 exit-address-family

R2:

! We will put all routing protocols needed for the lab in this single step.


router rip
 version 2
 redistribute ospf 2 metric 2 match external 1 external 2
 network 10.0.0.0


router ospf 2
 router-id 2.2.2.2


router eigrp 2
 !
 address-family ipv4 vrf eigrp autonomous-system 1
  network 2.2.2.2 0.0.0.0
  network 10.1.33.2 0.0.0.0
 exit-address-family

! Here I am using the interface level command to activate OSPF on
! the correct interface

interface GigabitEthernet0/1
 ip ospf 2 area 0

Verify:

Now, we need to verify our routing protocols have neighbors/adjacencies and are propagating the routes. We will verify checking that path starting with the GRT and RIPv2 protocol on R1 and working our way through the path.

From R1: 

R1# show ip route rip | begin Gateway


Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
R        10.1.22.0/24 [120/1] via 10.1.11.2, 00:00:17, GigabitEthernet0/0


! Here you can see from R1 we are learning the prefix 10.1.22.0/24 from R2. This is what we would expect to see at this point because R2 is activating all interfaces in the 10.0.0.0/8 space in the GRT and advertising them to R1.
! Alternative commands: show ip rip database

From R2:

R1# show ip route rip


Gateway of last resort is not set

R     1.0.0.0/8 [120/1] via 10.1.11.1, 00:00:00, GigabitEthernet0/0

! Here you can see we are learning the 1.0.0.0/8 network from R1. This is what we expect at this point.
! Alternative command: show ip rip database

From R2:

Here we will not be able to check for OSPF routes, and their shouldn't be any yet, but we can check for OSPF neighbors.

R2# show ip route ospf
! We don't see any routes because OSPF is only advertising the shared link between R1 and R2 at this point.

R2# show ip ospf neighbors


Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:31    10.1.22.1       GigabitEthernet0/1

From R1:

We already verified the OSPF neighbor with R2 in the previous step. You can run the same commands if you choose: "TRUST BUT VERIFY"

Let's check for our EIGRP neighbor and routes.

R1# show ip route vrf ospf-to-eigrp eigrp | begin Gateway


Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/130816] via 10.1.33.2, 01:03:31, GigabitEthernet0/2

R1# show ip eigrp vrf ospf-to-eigrp neighbors


EIGRP-IPv4 Neighbors for AS(1) VRF(ospf-to-eigrp)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   10.1.33.2               Gi0/2                    13 01:05:35 1308  5000  0  4


R1# show ip eigrp topology


EIGRP-IPv4 Topology Table for AS(1)/ID(10.1.33.1) VRF(ospf-to-eigrp)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 2.2.2.2/32, 1 successors, FD is 130816
        via 10.1.33.2 (130816/128256), GigabitEthernet0/2
P 10.1.33.0/24, 1 successors, FD is 2816
        via Connected, GigabitEthernet0/2


! You can see we have an adjacency with R2 and we are learning 2.2.2.2 from R2.

Route Redistribution

For final end-to-end connectivity we need to do mutual redistribution between the protocols. 


  • R2: RIPv2 <--> OSPF
  • R1: OSPF <--> EIGRP

R2: (Starting with R2 this time as it's the first place to start redistributing, the order doesn't really matter)

router ospf 2
 router-id 2.2.2.2
 redistribute rip subnets


router rip
 redistribute ospf 2 metric 2 match external 1 external 2

! The routes we want to redistribute from OSPF are external OSPF Routes "O E2" we include the "match external" keywords.

R1:

router eigrp 1
 !
 address-family ipv4 vrf ospf-to-eigrp autonomous-system 1
  redistribute ospf 1 metric 1000 1000 255 1 1500
 exit-address-family

! I used a somewhat random metric, you could easily use "1 1 1 1 1" as the metric and everything would still work.


router ospf 1 vrf ospf-to-eigrp
 redistribute eigrp 1 subnets

Verify Redistribution and Test:

Check all routing tables and ping or traceroute end-to-end.

R1:

We can verify everything on each router all together.

R1# show ip route

R1# show ip route vrf ospf-to-eigrp


R2:

R2# show ip route

R2# show ip route vrf eigrp


Test:

R1# ping 2.2.2.2 source 1.1.1.1

R1# traceroute 2.2.2.2 source 1.1.1.1 numeric



R2# ping vrf eigrp 1.1.1.1 source 2.2.2.2

R2# traceroute vrf eigrp 1.1.1.1 source 2.2.2.2
Posted by at No comments:

Monday, March 19, 2018

The LinkedIn Challenge

Challenge Accepted!!!

I saw this topology scribbled on a piece of paper on LinkedIn with the caption "Try to Do it .." (https://www.linkedin.com/feed/update/urn:li:activity:6381105397989728256). Challenge Accepted! It actually wasn't a challenge at all. I knew the steps that needed to be completed to get the job done, frankly it just looked fun!



After completing the configuration I started having visions of all the other things we could do with this topology. Maybe this will become a series... I don't know... you decide.

The Proof:

There are lots of ways to bang this out quickly and sloppily, I tried to make it clear enough that I could understand what I did the next day.


Planning:


My advice is make your self a check list:

  1. Define the VLANs needed to support the topology
    1. a: Each router has 1 physical connection but requires many logical connections; this will require trunking on all ports connecting to routers
  2. Easy to understand IP schema and VLANs schema
  3. Protocols: BGP
    1. a: Define 2 Autonomous-Systems
    • iBGP does NOT need "next-hop-self" because it is full-mesh
Let's break the drawing up into 2 large parts: the left side and the right side.

VLANS:

Starting with the left side:


For every router to router connection we will define a VLAN. This VLAN number will be a composite of the Router numbers, starting with the lowest. If we take a look at R1 we see it needs connections to:

R1:

  • R1 -> R2 = VLAN 12
  • R1 -> R3 = VLAN 13
  • R1 -> R4 = VLAN 14
  • R1 -> R6 = VLAN 16
Then move to R2, but remember you already have a connection to R1 so you don't need to create another vlan for that.

R2:

  • R2 -> R1 = *** We already have this VLAN 12 ****
  • R2 -> R3 = VLAN 23
  • R2 -> R4 = VLAN 24
  • R2 -> R5 = VLAN 25
Router 3 will require even fewer VLANs because we already have VLANs defined for some of it's connections. We only need to define the Last VLAN:

R3:

  • R3 -> R1 = *** We already have this VLAN 13 ***
  • R3 -> R2 = *** We already have this VLAN 23 ***
  • R3 -> R4 = VLAN 34
Router 4 will NOT require any additional VLAN to support connectivity as all of its connections have already been defined.

R4:

  • R4 -> R1 = *** We already have this VLAN 14 ***
  • R4 -> R2 = *** We already have this VLAN 24 ***
  • R4 -> R3 = *** We already have this VLAN 34 ***


VLANs for the right side:


Again, I'll start with the lowest number Router on this side which is R5:

R5:

  • R5 -> R2 = *** We already have this VLAN 25 ***
  • R5 -> R6 = VLAN 56
  • R5 -> R7 = VLAN 57
  • R5 -> R8 = VLAN 58

R6:

  • R6 -> R1 = *** We already have this VLAN 16 ***
  • R6 -> R5 = *** We already have this VLAN 56 ***
  • R6 -> R7 = VLAN 67
  • R6 -> R8 = VLAN 68

R7:

  • R7 -> R5 = *** We already have this VLAN 57 ***
  • R7 -> R6 = *** We already have this VLAN 67 ***
  • R7 -> R8 = VLAN 78

R8:

  • R8 -> R5 = *** We already have this VLAN 58 ***
  • R8 -> R6 = *** We already have this VLAN 68 ***
  • R8 -> R7 = *** We already have this VLAN 78 ***

The above list's double as a trunking check-list per router.

IP Addressing:

All links in the drawing are direct connections between 2 routers. They will all follow the schema:

10.1.(VLAN #).(R#) / 24

Starting with R1...

R1:

  • R1 -> R2 = 10.1.12.1/24 (R2: 10.1.12.2/24)
  • R1 -> R3 = 10.1.13.1/24 (R3: 10.1.13.3/24)
  • R1 -> R4 = 10.1.14.1/24 (R4: 10.1.14.4/24)
  • R1 -> R6 = 10.1.16.1/24 (R6: 10.1.16.6/24)

Continue this for all the remain link's and routers... Remember you do not need to define another subnet for 2 routers that are already connect from a previous step.

Start the configuration:

I'm going to start with the switch, using the bulletted list from above as a check-list and my EVE-NG topology for reference we can begin to configure the switchports.

The Switch:




vtp mode transparent


vlan 1-100
exit


int gi0/0
description "to R1"
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 12-14,16
no shut

int gi0/1
description "to R2"
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 12,23-25
no shut

int gi0/2
description "to R3"
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 13,23,34
no shut

int gi0/3
description "to R4"
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 14,24,34
no shut



int gi1/0
description "to R5"
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 25,56-58
no shut

int gi1/1
description "to R6"
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 16,56,67,68
no shut

int gi1/2
description "to R7"
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 57,67,78
no shut

int gi1/3
description "to R8"
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 58,68,78
no shut


The Routers:


hostname R1


int gi0/0
description "to SW1;gi0/0"
no shut

int gi0/0.12
encapsulation dot1q 12
description "to R2"
ip add 10.1.12.1 255.255.255.0

int gi0/0.13
encapsulation dot1q 13
description "to R3"
ip add 10.1.13.1 255.255.255.0

int gi0/0.14
encapsulation dot1q 14
description "to R4"
ip add 10.1.14.1 255.255.255.0

int gi0/0.16
encapsulation dot1q 16
description "to R6"
ip add 10.1.16.1 255.255.255.0

=================================================

hostname R2


int gi0/0
description "to SW1;gi0/1"
no shut

int gi0/0.12
encapsulation dot1q 12
description "to R1"
ip add 10.1.12.2 255.255.255.0

int gi0/0.23
encapsulation dot1q 23
description "to R3"
ip add 10.1.23.2 255.255.255.0

int gi0/0.24
encapsulation dot1q 24
description "to R4"
ip add 10.1.24.2 255.255.255.0

int gi0/0.25
encapsulation dot1q 25
description "to R5"
ip add 10.1.25.2 255.255.255.0


=================================================

hostname R3


int gi0/0
description "to SW1;gi0/2"
no shut

int gi0/0.13
encapsulation dot1q 13
description "to R1"
ip add 10.1.13.3 255.255.255.0

int gi0/0.23
encapsulation dot1q 23
description "to R2"
ip add 10.1.23.3 255.255.255.0

int gi0/0.34
encapsulation dot1q 34
description "to R4"
ip add 10.1.34.3 255.255.255.0


=================================================

hostname R4


int gi0/0
description "to SW1;gi0/3"
no shut

int gi0/0.14
encapsulation dot1q 14
description "to R1"
ip add 10.1.14.4 255.255.255.0

int gi0/0.24
encapsulation dot1q 24
description "to R2"
ip add 10.1.24.4 255.255.255.0

int gi0/0.34
encapsulation dot1q 34
description "to R4"
ip add 10.1.34.4 255.255.255.0


=================================================

hostname R5


int gi0/0
description "to SW1;gi1/0"
no shut

int gi0/0.25
encapsulation dot1q 25
description "to R2"
ip add 10.1.25.5 255.255.255.0

int gi0/0.56
encapsulation dot1q 56
description "to R6"
ip add 10.1.56.5 255.255.255.0

int gi0/0.57
encapsulation dot1q 57
description "to R7"
ip add 10.1.57.5 255.255.255.0

int gi0/0.58
encapsulation dot1q 58
description "to R8"
ip add 10.1.58.5 255.255.255.0


=================================================

hostname R6


int gi0/0
description "to SW1;gi1/1"
no shut

int gi0/0.16
encapsulation dot1q 16
description "to R1"
ip add 10.1.16.6 255.255.255.0

int gi0/0.56
encapsulation dot1q 56
description "to R6"
ip add 10.1.56.6 255.255.255.0

int gi0/0.67
encapsulation dot1q 67
description "to R7"
ip add 10.1.67.6 255.255.255.0

int gi0/0.68
encapsulation dot1q 68
description "to R8"
ip add 10.1.68.6 255.255.255.0


=================================================

hostname R7


int gi0/0
description "to SW1;gi1/2"
no shut

int gi0/0.57
encapsulation dot1q 57
description "to R5"
ip add 10.1.57.7 255.255.255.0

int gi0/0.67
encapsulation dot1q 67
description "to R6"
ip add 10.1.67.7 255.255.255.0

int gi0/0.78
encapsulation dot1q 78
description "to R8"
ip add 10.1.78.7 255.255.255.0


=================================================

hostname R8


int gi0/0
description "to SW1;gi1/3"
no shut

int gi0/0.58
encapsulation dot1q 58
description "to R5"
ip add 10.1.58.8 255.255.255.0

int gi0/0.68
encapsulation dot1q 68
description "to R6"
ip add 10.1.68.8 255.255.255.0

int gi0/0.78
encapsulation dot1q 78
description "to R7"
ip add 10.1.78.8 255.255.255.0


=================================================

BGP:R1


router bgp 1234
bgp router-id 1.1.1.1
redistribute connected
neighbor 10.1.12.2 remote-as 1234
neighbor 10.1.13.3 remote-as 1234
neighbor 10.1.14.4 remote-as 1234

neighbor 10.1.16.6 remote-as 5678


=============================

BGP:R2


router bgp 1234
bgp router-id 2.2.2.2
redistribute connected
neighbor 10.1.12.1 remote-as 1234
neighbor 10.1.23.3 remote-as 1234
neighbor 10.1.24.4 remote-as 1234

neighbor 10.1.25.5 remote-as 5678


=============================

BGP:R3


router bgp 1234
bgp router-id 3.3.3.3
redistribute connected
neighbor 10.1.13.1 remote-as 1234
neighbor 10.1.23.2 remote-as 1234
neighbor 10.1.34.4 remote-as 1234


=============================

BGP:R4


router bgp 1234
bgp router-id 4.4.4.4
redistribute connected
neighbor 10.1.14.1 remote-as 1234
neighbor 10.1.24.2 remote-as 1234
neighbor 10.1.34.3 remote-as 1234


=============================

BGP:R5


router bgp 5678
bgp router-id 5.5.5.5
redistribute connected
neighbor 10.1.56.6 remote-as 5678
neighbor 10.1.57.7 remote-as 5678
neighbor 10.1.58.8 remote-as 5678

neighbor 10.1.25.2 remote-as 1234


=============================

BGP:R6


router bgp 5678
bgp router-id 6.6.6.6
redistribute connected
neighbor 10.1.56.5 remote-as 5678
neighbor 10.1.67.7 remote-as 5678
neighbor 10.1.68.8 remote-as 5678

neighbor 10.1.16.1 remote-as 1234


=============================

BGP:R7


router bgp 5678
bgp router-id 7.7.7.7
redistribute connected
neighbor 10.1.57.5 remote-as 5678
neighbor 10.1.67.6 remote-as 5678
neighbor 10.1.78.8 remote-as 5678


=============================


BGP:R8


router bgp 5678
bgp router-id 8.8.8.8
redistribute connected
neighbor 10.1.58.5 remote-as 5678
neighbor 10.1.68.6 remote-as 5678
neighbor 10.1.78.7 remote-as 5678


=============================
Posted by at 2 comments:

Wednesday, January 10, 2018

Pi-Hole: After 1 Month

tl;dr It has been great. Truly beneficial to my home network. I can't wait to build a few on raspberry-pi's to give out to my non-technical family members.

Please consider donating to pi-hole if you've found them useful: https://pi-hole.net/donate/

I installed pi-hole about 1 month ago and have been reaping the rewards ever since. (https://showipintbri.blogspot.com/2017/12/pi-hole-day-1-first-5-minutes.html)

As Network Security Professional if you aren't watching DNS logs, YOU SHOULD!!! There is a wealth of information that can be gleaned from DNS logs. I'm writing the below post from the perspective of a home user not a security professional. If nothing else, Pi-Hole is a great start!

Pi-Hole works great. My entire house-hold's online experience has been more enjoyable.

  • Sites with either pop-ups or banner ads are no more. 
  • My wife plays alot of app games on her phone and has seen a reduction in in-between turn targeted ads.
  • My kids online experience is better as the ads delivered to them through their tablets have all been reduced.
Most people would assume Pi-Hole is for blocking ads delivered to you through your web browser while you're on your computer. This is true and it does a good job of that. It is well documented many places on the internet. I'm going to shed some light on how it effects things other than desktops/laptops.

This system isn't without its faults. I wanted to outline a few un-intended consequences:

Roku - Poster-Ad

I am a long-time cord-cutter, I have Roku's at every TV or a Roku TV. Roku normally reserves 1/3 of the screen to show you 1 giant vertical advertisement panel on the home screen to the right of your tiles. This panel is used by Roku to advertise their own products and services or used by companies that use Roku as their advertisement delivery platform.

Since having Pi-Hole on my network I haven't seen any advertisements on that panel.

Pi-Hole Enabled


Pi-Hole Disabled (5 minutes)



You maybe thinking to yourself "so, whats the big deal." The big deal is I have little kids who enjoy watching TV and who can operate the Roku by themselves. Sometimes the poster-ad on the right of the screen is a giant ad for some second-rate cartoon 'app' or site. My kids click it, because they are subjected to clever marketing, then it asks for a login, or its really just a stream with built-in target ads for kids toys, then I have to tell my kids "No" and now I'm the bad guy 😕. With Pi-Hole I have eliminated that as a source of deception for my wee-ones. 😁 

This is a good thing for my family and a plus for Pi-Hole, I love it. 


Roku - Screensaver

Like any modern device when not in use the Roku has a screensaver. Roku doesn't miss the opportunity to have this serve you ad as-well, as another advertisement delivery platform. The device, (depending on which model you have) has different screensaver offerings. This particular TV is using a Roku3, I prefer the "Big City Stroll", which is pretty cool. When Pi-Hole is Enabled (it's always enabled) Roku doesn't switch to the "Big City Stroll" it uses the Roku Logo Bounce. I suppose this is because it can't reach it's ad-delivery network. I haven't pulled a PCAP to check but I would assume it's doing a DNS lookup or a wget request using a domain name and when that fails it uses the Roku Logo Bounce. See below for my comparison:

Pi-Hole Enabled


Pi-Hole Disabled (5 minutes)



You may be thinking "So, whats the big deal", no big deal I just like the Big City Stroll and now I don't get to see it :( I have other Rokus in the house, I have a Roku Ultra in the basement and I use the fish-tank screensaver which doesn't server ads, still comes up for our amusement. The Roku TV in the bedroom also uses the Big City Stroll and it also no longer works.

Amazon Fire Tablets

The most shocking thing of all is the complete battery drain of both my kids Amazon Fire Tablets, since enabling Pi-Hole in my house. When I did my blog post about 1 month ago I was surprised to see "Blocked" results immediately. As a day or two passed I checked the admin dashboard of Pi-hole and noticed my household was making about 8,000 DNS requests daily. I was monitoring this daily from then on. Within a day or two I noticed our "Blocked" DNS requests in the 50,000 range!!!!

50,000!!! WTF!!!!

Pi-Hole has a great dashboard to show which hosts are making the requests by volume:
(Below is only 1 tablet on, making the DNS requests... the other battery died, keep reading you'll find-out why)


Using the side-by-side of clients vs. blocked domains it was easy to correlate which host was making the most requests and to what. I do not have Pi-Hole as my DHCP server (you could, it is a feature), I'm still using my router as my DHCP so I popped over to my router to see what host name held that IP. It was the generic hostname of my son's tablet. I used my LogZilla install to search for his MAC address to see which IP's he was assigned historically from my DHCPd logs. 

I loved the Amazon Fire Tablets for my kids because the batteries last all day. But now they don't last 6 hours. I couldn't figure out why. 

I searched my top blocked domain and found other people with the same issues: https://discourse.pi-hole.net/t/device-metrics-us-amazon-com-requests-like-crazy/5731

What seems to be happening is: 
The tablets are trying to reach-out to their device-metrics domain to likely tell Amazon about my kids tablet usage. Because the DNS request is blocked it never resolves and thus never makes it's connection back to it's server. It must do this on a loop: "if fail;repeat". With this domain blacklisted you can sit and watch the "Blocked" domains counter on Pi-Holes dashboard increase by a few requests every second, most of which are the "device-metrics" domain.

Even when the kids tablets screen's are off and it should be 'sleeping' it is still making DNS requests which are getting blocked a few times per second. This means the tablet never really goes to sleep and depletes it's battery.

A couple of ways around this:
  1.  White-list the domain. The connection will succeed and all is well.
  2. Turn off Wi-Fi on the kids tablets. (This doesn't always go over so well 😁)
I also have a Amazon Fire TV Stick. When both my kids tablets are powered off, I do NOT see the same requests coming from that device. This tells me it's local to my kids tablets on my network. I know other people have posted similar experience about Amazon Echos and Echo Dots.

All in all I really love Pi-Hole, it has enhanced my families online experience. I recommend it and it was stupid simple to setup.

I'm going to be building a few on Raspberry-Pi's to send to my grandparents and other family members so they can stop being bombarded with ads/malware and phishing campaigns, which in turn should stop some of the family IT help-desk tickets they send me 😁

Other than the things above I haven't noticed any problems or side-effects with using Pi-Hole at home. If you have something to add please leave a comment below.

Please consider donating to Pi-Hole if you find this useful: https://pi-hole.net/donate/
Posted by at No comments:
Labels: , , , , ,

Wednesday, January 3, 2018

VRF Aware IPSEC: IKEv2

This is a follow-up to a previous blog post: VRF Aware IPSEC: IKEv1

I highly recommend Kat Mac's VPN blog series. This lays it out in plan English. Well crafted and beautifully done: https://www.network-node.com/blog/2017/7/24/ccie-security-ipsec-vpn-overview

For the "configlet" we will use the topology below (same as the previous blog post). 2 Routers directly connected (via a swtich), each with a loopback. We want the traffic sourced from a loopback and destined for a loopback to be encrypted via IPSEC tunnels. All other traffic will route without encryption.

The below topology and initial configs are the same from the previous blog post: VRF Aware IPSEC: IKEv1.

CAVEAT: These templates are an example of VRF Aware IPSEC. Each router is using a VRF routing table, NOT THE GLOBAL ROUTING TABLE (GRT)!!!


Basic Initial Configs:

R1:

vrf definition client
 !
 address-family ipv4
 exit-address-family


interface Loopback1
 vrf forwarding client
 ip address 1.1.1.1 255.255.255.255


interface FastEthernet0/0
 vrf forwarding client
 ip address 10.1.1.1 255.255.255.252


ip route vrf client 100.1.1.1 255.255.255.255 10.1.1.2

R2:


vrf definition server
 !
 address-family ipv4
 exit-address-family



interface Loopback100

 vrf forwarding server
 ip address 100.1.1.1 255.255.255.255


interface FastEthernet1/0
 vrf forwarding server
 ip address 10.1.1.2 255.255.255.252


ip route vrf server 1.1.1.1 255.255.255.255 10.1.1.1

IPSEC (IKEv2) Configs:

R1:

access-list 100 permit ip host 1.1.1.1 host 100.1.1.1

crypto ikev2 proposal client
  enc aes-cbc-256
  inte sha256
  group 21
exit

crypto ikev2 policy client
  match fvrf client
  proposal client
exit

crypto ikev2 keyring KEYRING
 peer server
  address 10.1.1.2
  pre-shared-key local cisco
  pre-shared-key remote cisco
exit


crypto ikev2 profile client
 match fvrf client
 match address local interface FastEthernet0/0
 match identity remote address 10.1.1.2 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
 lifetime 28800
exit


crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel

exit

crypto map MYMAP 10 ipsec-isakmp
 set peer 10.1.1.2
 set transform-set MYSET
 set ikev2-profile client
 match address 100
exit

int fa0/0
crypto map MYMAP
exit

R2:

access-list 100 permit ip host 100.1.1.1 host 1.1.1.1

crypto ikev2 proposal server
  enc aes-cbc-256
  inte sha256
  group 21
exit

crypto ikev2 policy server
  match fvrf server
  proposal server
exit

crypto ikev2 keyring SERVER_KEYRING
 peer client
  address 10.1.1.1
  pre-shared-key local cisco
  pre-shared-key remote cisco
exit
exit


crypto ikev2 profile server
 match fvrf server
 match address local interface FastEthernet1/0
 match identity remote address 10.1.1.1 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local SERVER_KEYRING
 lifetime 28800
exit


crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel
exit

crypto map MYMAP_SERVER 10 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set MYSET
 set ikev2-profile server
 match address 100
exit

int fa1/0
crypto map MYMAP_SERVER
exit

Verify:

R1:

ping vrf client 100.1.1.1 source 1.1.1.1

show crypto ikev2 sa fvrf client [detailed]

show crypto ipsec sa vrf client

R2:

ping vrf server 1.1.1.1 source 100.1.1.1

 show crypto ikev2 sa fvrf server [detailed]

show crypto ipsec sa vrf server

Show Output:


R1#show crypto ikev2 sa fvrf client
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.1.1.1/500          10.1.1.2/500          client/client        READY
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:21, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/41 sec

 IPv6 Crypto IKEv2  SA



R1#show crypto ikev2 sa fvrf client detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.1.1.1/500          10.1.1.2/500          client/client        READY
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:21, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/54 sec
      CE id: 1001, Session-id: 1
      Status Description: Negotiation done
      Local spi: 21E078A4CC7C3612       Remote spi: 42905DBF44368F78
      Local id: 10.1.1.1
      Remote id: 10.1.1.2
      Local req msg id:  2              Remote req msg id:  0
      Local next msg id: 2              Remote next msg id: 0
      Local req queued:  2              Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes


R1#show crypto ipsec sa vrf client

interface: FastEthernet0/0
    Crypto map tag: MYMAP, local addr 10.1.1.1

[ ... OUTPUT REMOVED TO SAVE SPACE ... ]

   protected vrf: client
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/0/0)
   current_peer 10.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x52F8B750(1392031568)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x522A72A4(1378513572)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: MYMAP
        sa timing: remaining key lifetime (k/sec): (4179797/3586)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x52F8B750(1392031568)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: MYMAP
        sa timing: remaining key lifetime (k/sec): (4179797/3586)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)