about the Next Hop Resolution Protocol (NHRP), we examined the theory and functionality of NHRP. In this post, we will examine the configuration commands that make NHRP possible. This will conclude the information required about this important protocol for the written exam. NOTE: This does not conclude information that should be known about the main use of NHRP – the Dynamic Multi-point VPN (DMVPN). That is a topic for other blog posts.

The first thing you do for configuration with NHRP is that you go to a multipoint GRE (mGRE) interface and you assign a NHRP network ID. You configure this with the command:

ip nhrp network-id number

What does this command do? That is a great question, both here and in the Certification exam environment!!! The NHRP network ID is used to define the NHRP domain for an NHRP interface. You need to be able to differentiate between multiple NHRP networks when two or more mGRE tunnel interfaces are available on the same router. Cisco relies upon the NHRP network ID to keep two NHRP networks separate from each other when both are configured on the same router.

It is extremely important to realize that the NHRP network ID is a locally significant parameter. This network ID is not transmitted in NHRP packets to other NHRP nodes. Because of this, the actual value of the NHRP network ID configured on a router need not match the same NHRP network ID on another router. As NHRP packets arrive on a GRE interface, they are assigned to the local NHRP domain in the NHRP network ID that is configured on that interface. You should note how similar this functionality is to the OSPF process ID.

NHRP network IDs can be unique on each mGRE tunnel interface on a router. This is required when running DMVPN Phase 1 or Phase 2 or when using a tunnel key on the mGRE interfaces as you will see in a later post. Also, realize that NHRP domains can span across mGRE tunnel interfaces on a route. This option is available when running DMVPN Phase 3 and not using a tunnel key on the GRE tunnel interfaces. In this case, the effect of using the same NHRP network ID on the mGRE tunnel interfaces is to mesh the two mGRE interfaces into a single DMVPN network.

To participate in NHRP process, a router connected to the NBMA network must be configured with the IP and NBMA addresses of its Net Hop Server (NHS). To configure static IP-to-NBMA address mapping on a router, we use the following command:

ip nhrp map ip-address nbma-address

To enable IP multicast and broadcast packets to be sent to the statically configured station, use the command:

ip nhrp map multicast nbma-address

This step is required on multipoint GRE tunnels and not required on point-point GRE tunnels, so obviously, it is typically required in our DMVPN implementations that utilize mGRE.

Finally, a Next Hop Server normally uses the routing table to determine where to forward NHRP packets and to find the egress point from an NBMA network. You may also statically configure the NHS with a set of IP address prefixes that correspond to the IP addresses of the stations it serves. You make this configuration using the logical NBMA network identifiers (IP addresses). You can configure these static mappings with the command:

ip nhrp nhs nhs-address [net-address [netmask]]

To bring this all together, recall the sample configuration provided in the previous blog post on the subject of NHRP. Note that this example emphasizes NHRP itself and does not yet focus on DMVPNs:

R1

interface tunnel 0
 no ip redirects
 ip address 209.165.200.224 255.255.255.0
 ip nhrp map 209.165.200.225 10.0.0.2
 ip nhrp network-id 1
 ip nhrp nhs 209.165.200.225
 tunnel source fastethernet 0/0
 tunnel mode gre multipoint
 tunnel key 1
interface fastethernet 0/0
 ip address 10.0.0.1 255.0.0.0

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Print Friendly

Obviously, the official announcement is coming soon. The RSA conference mentioned in the article, and  Cisco Live in San Diego, are certainly candidates for the official announcement.

Here is the relevant information from the post:

“The Real Life of an Expert: Introducing the New CCIE Security

CCIE Security 4.0 is unusual among security certificates for its up-to-date, real-world content. It emphasizes security competency and efficient problem solving in networks that use cloud services, carry voice and multimedia traffic, and are accessed by a variety of wireless devices.

The content, currently in development, may include real-world applications that involve:

• Securing both wireless and wired networks, including managing security policy by device and service
• Extending application awareness to security devices, moving security up to Layer 7 from the stateless packets of Layers 3 and 4, and applying policy on a per-identity basis
• Applying security policy in a network that has voice and video traffic
• Securing networks that use managed services, dual ISPs, IPv6, or IP multicast

Cisco will soon announce the blueprints for the CCIE Security 4.0 written and lab exams; the first exam will take place approximately six months later.

Although there are no prerequisites for registration, Cisco offers a preparation path through its CCNA and/or CCNP Security levels, and recommends that candidates have at least three years of hands-on network security experience.”

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Print Friendly

MPLS

• MPLS Unicast Routing Using LDP
  • Controlling Label Distribution
• MPLS VPN
  • MPLS VPN Using Static Routing Between PE-CE
  • MPLS VPN Using RIP as the PE-CE Routing Protocol
  • MPLS VPN Using EIGRP as the PE-CE Routing Protocol
    • Site of Origin
    • Cost Community
  • MPLS VPN Using OSPF as the PE-CE Routing Protocol
    • Process ID
    • Domain ID
    • Super Backbone
    • Auto-configuration
    • Sham Links
    • Down-bit
  • MPLS VPN Using EBGP as the PE-CE Routing Protocol
    • Site of Origin
    • AS Override
  • Controlling Route Propagation Using the Route Target with Import and Export Maps
  • Internet Access
• VRFs at the Customer Sites Using VRF-Lite

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Print Friendly

Due to the economic downturn, many candidates are under spending restrictions and budget cuts on training and travel, so we wanted to do something more to help!

Essentially, we have taken the same course materials used in our 1-Week Lab Experience Boot Camps, which costs $4999 to $5499, and made the mock labs available at a low cost…

“Last Mile” Prep Kit Components

• Four full-scale “Mock Lab” exams, professionally printed and bound, then shipped to your door.
• The books you receive will include detailed written walk-through explanations for each of the labs.
• You will also have electronic access to download a file with the final configurations.

60 Hours of Online Rack Rental INCLUDED

With this kit, you also get a week’s worth of time with a rack of equipment! You get eight online rack sessions for use at Proctor Labs. That is over 60 hours of rack time to work through the mock labs!

For details and to order your kit…

• Voice: http://www.ipexpert.com/index.cfm/product/sku/IPX0703
• Security: http://www.ipexpert.com/index.cfm/product/sku/IPX0701

Print Friendly

So the Security version 3.0 announcement has been out now for about 2 and a half months now.  This change can become a big stumbling block for many that are stuck in the middle of whether they are going to make it for the old version or the new 3.0 version of the test.  If you don’t feel that you will make it for the old version of the test… do you wait around for our new material to be released or continue to study?  Well, I think there is a clear direction that should be followed and I want to outline some of my recommendations to you below so you don’t get caught in the doldrums of preparation time.

In a perfect world we would be able to offer you the complete 6th edition of our CCIE-Security study material, The Blended Learning Solution (BLS) version 3.0. It would be a clean and simple solution that would suit everyone. However I believe the current workbook and proctor guide can continue to provide you, as a student, the necessary tools to prepare for the newer version of the test and will provide you a building block to the new material as we release it.

So what do I mean by this?  Well, let’s go over what was on the test previously that will no longer be on the new version and briefly what is going to be introduced on the newer version of the test that was not previously there.

So first, what has been removed is pretty simple; the VPN concentrator and PIX are no longer on the hardware list.  So any material we have in relation to this hardware is no longer relevant.  (Although most of the functionality configured on a PIX is the same on the ASA). So if a lab in the workbook has material in relation to this hardware does it make the lab irrelevant?  Definitely not… It means that possibly 20% of the lab may be irrelevant for the hardware.  But the functionality that is asked in the questions can be either skipped or you can even take it a step further and implement the technologies on another device.  For example, if the lab has you configure PIX as a transparent firewall.  You may not be tested on the PIX but the transparent firewall feature is still very clearly on the new blueprint under both the ASA and IOS sections.  So it is a great opportunity to learn how to do a transparent firewall on a router or an ASA.

The IPS has changed from a 4215 to a 4240.  But the topics covered under the IPS section have not changed.  The material we have written for the IDS appliance is still very relevant to the IPS.  It is now implemented with a different interface.  And the great thing IPexpert has worked to do with ProctorLabs is to get the new hardware added to the racks while still leaving the older appliance available to clients continuing to study for the version 2.0 blueprint.

So we have provided you with the option to use the new appliance with older material as your guide until our new material is released.  If you have used the older appliance it is an easy transition to the new interface.  Once you get the knack of working with it.  I would explain it as going from Windows 2000 to Windows 2008.  The old features are still present and relevant.  It looks a little different with more of a logical separation of configuration functionality.  As well, it has been given upgraded functionality that was not previously available.

There will be additional material introduced in the new version of the workbook for the IPS, but the old material will still be covered with the solution guide re-written to show the newer interface.

Now new topics I will only briefly mention;

IOS Firewalls: Zone based firewall.

Cisco VPN Solutions: GET VPN, and Clientless WebVPN are introduced.

Identity Management: LDAP authentication and Certificate Based Authentication

Control and Management Plane Security: Implementing routing plane security features, Configuring Control Plane Policing, Configure CP protection (Management is already tested there will be additional material), Service Authentication

Advanced Security: RFC 3330 and 3704 is added; RFC 2401 is removed

Mitigate Network Attacks: Malicious IP Option usage

That is it.  The blueprint looks a lot different if you are not comparing them side by side.  But if you do, you will find the new blueprint is a lot more words saying the same things for the most part.

Now in pointing this out, there is definitely additional material that needs to be covered with our new material we are working to release.  I believe that you will be greatly benefited by the material we release.  Does this mean that you should stop studying and wait for this material?  Definitely not… there is very little material that is covered in the previously work book that is no longer relevant (As I have outlined above).

It is also important to understand how Cisco introduces the new versions of the test.  When they implement the new hardware, it has always occurred in the past that they don’t suddenly start implementing all the new features they have mentioned in the blueprint.  Nor all the new features available in the new versions of code (12.2T versus 12.4T).  In the past they have typically slowly transitioned to the newer features over a short period of time, about 1 to 3 months.  They don’t implement the new hardware and suddenly start introducing all the new features the first day after cut over.

I believe they have always provided this transition to allow both training companies and students to ramp up to the new material.  Contrary to popular belief, Cisco has a vested interest in your success.  They want people to continue to pass the test that are qualified to do so.  It is important to them to have people in the industry that are classified as “Experts” to sell their technologies to the market.  So keep in mind they are interested in your success.

Some candidates might choose to wait for spring ’09 before commencing their studies.  If that is your strategy, well I am not one to say that it is not OK. My only advice to you is that as the time passes with the new blueprint, more material will continue to be introduced and it will only become more unlike the 2.0 blueprint as time goes on.  This means that there will be a greater breadth of features on the test.  So don’t wait for new material to begin/continue your preparation.  Especially if in fact you have the opportunity to start now with the majority of the current topics and build from there.

Now neither IPexpert nor any of the companies who operate in the same space have any practice labs for the new blueprint ready today. Again that will be changing very soon, however it is going to take time before anybody can come out and offer an updated solution for you to use.  I do want to let you know a little about our strategy as we move forward.  We have decided to release material as it becomes available.  This means that as we finish one or more labs that are ready for release we will make them available to you as a student (bear in mind as labs are released one-by-one, you get to start on the new BP topics no sooner than you have finished the base theory).  And by March ’09 Bootcamps will have been updated and various blogs, mailing lists, and forums will have begin buzzing with new content.

Don’t sit around while the economy melts around us. You need to get your skills upgraded, and you need to be prepared to take the new exam when it debuts in April, not 6 months from April when you have had enough time to practice in your home lab. You need the certification as soon as possible to much better hedge your bets against a falling job market.

So it boils down to this: We will have labs covering the newer theories, complete with newer screenshots soon.  But do you start/continue your studying now or wait for that material.  I think the answer to that is clearly now.  Move forward with the current material or buy the current Security Box Set, study, and get ready for the more advanced material to come your way!

So what are you waiting for?!?!? Get the Security Box Set today, start studying now, and get the updated material JIT for a huge upgrade cost of $000.00!!

Print Friendly

I must admit that when I first took a look at the refreshed Lab equipment and IOS my first reaction was “Phew- no CatOS, no ATA and no VG248”. These three items took a disproportionate amount of time to configure in the 8 hour lab exam and I can honestly tell you that I for one will not shed too may tears over their impending departure. As a bonus we can say good riddance to FXS/FXO interfaces and finally focus on T1/E1 PRI and CAS gateways (although seeing CAS remaining on the blueprint was somewhat mindboggling).

I guess the biggest surprise is “pre-configurations of basic tasks (such as phone registration, basic application integration, basic dial plan, etc.)” will be done. What this means is that there will be more focus of advanced features and services and, more significantly, opens the door for troubleshooting errors within pre-existing configuration.

In terms of what endpoints you have on your desk- wave goodbye to fax machines and analog phones and say hello to Software clients. What this means- we’ll have to wait and see but Communicator and/or VT-Advantage may make an appearance at some stage, either of which we will be prepared for. Off course you still have IP Phones- nothing more specific to report on there.

Taking a quick look further down the refreshed list and there are no major surprises. We have the Catalyst 3750 switches and 4 port EtherSwitch Card (HWIC-4ESW-POE) introduced in place of the Catalyst 6500 and 3550. Finally we have PVDM-2 in place of their predecessor. They got rid of Unity altogether, which makes sense given the escalating rivalry that exists between Cisco and Microsoft. Most of us knew from Networkers that 7.0 would be the choice of CUCM. Upgrading CUCME along with CUCCX to the 7.0 version is logical in order to maintain alignment across the board. And now we can welcome the Presence server and Unity Connection. The new IOS (12.4T train) opens the door for a topology aware CAC mechanism namely the RSVP Agent. I happen to think that RSVP will be a major new feature added to the test.

So what does it mean for prospective CCIE-Voice candidates? For those of you in the middle of your preparation on the 2.0 blueprint then the obvious message should be don’t let this affect your preparation. Off course you run the risk of being stuck between a rock and a hard place come mid-2009 if you haven’t passed. The point I’d like to make is all the knowledge acquired learning the materials on the CCIE-V 2.0 blueprint is still largely relevant for the CCIE-V 3.0 blueprint (Unity aside). Yes we have a new interface and plenty more features to deal with. But the foundational knowledge is still very much a requirement and remember, typically the new features will be phased into the test- there will not be the massive overhaul you might expect on day one.

So the message for anybody in the middle of your preparation is don’t let the CCIE 3.0 announcement interrupt your preparations. Continue with CCIE 2.0 and try and get the thing nailed before mid-July. If you have not passed in this timeframe then there is no reason to panic. There will still be QoS in much the same format (minus CatOS and add RSVP). There will still be MGCP and H323 gateways. There will still be Calling Search spaces, Route Patterns, etc, etc…Preparation on the 2.0 blueprint will still give you a good grounding for the 3.0 blueprint and the new Applications and Features will be easier to deal with this firm understanding.

Now the exception to this logic is the candidate who has yet to start any kind of preparation on the current 2.0 blueprint. It might be wise to make an executive decision to begin your preparation on the new versions of software since you have the luxury of knowing in advance what the new blueprint comprises before beginning your journey.

Expect to hear some major announcements from IPexpert in the coming weeks and months. Our instructors and executives have been in lengthy discussions for about a year regarding the issue of the new CCIE Voice blueprint. We are very well prepared for this announcement since there has been plenty going on behind the scenes to ensure that we serve our customers as best we can. I’ll leave it to others to make announcements of when we will be ready with updated racks, workbooks and bootcamps.

Print Friendly

Some of you I have already talked to recently have stated that you are at the beginning of your studies for the lab and are therefore choosing to focus solely on the new v3 blueprint. For those of you in this category, you of course not only need the new hardware, but also need the ISR routers upgraded to 12.4(xx)T, your ASAs upgraded to v8.x, the ACS server upgraded to v4.1, and new VPN clients on the XP workstation. Stay tuned as we will very shortly (possibly as soon as next week) be announcing a clever way to dynamically upgrade your vRack’s software for this new blueprint based on what you tell us you are studying for.

So stay tuned!

Print Friendly