Archive for November, 2012

A basic look at the Catalyst ME3400

November 9, 2012 5 comments

As I have passed the CCIE RS now you will see a bit more diversified post from me. I will
be blogging about topics mostly related to design and SP topics as that is what I am
most involved right now.

I did not have much experience with the Catalyst ME3400 so I want to do a post on the
basics about it.

The Catalyst ME3400 switch is a switch targeted at the service provider segment.
Although it is a Catalyst many things are different compared to the regular Catalyst

The ME3400 has three different port types:

UNI – User Network Interface. Port downstream (towards customer). Port can’t run STP,
CDP or Etherchannel protocols like PAgP and LACP.

ENI – Enhanced Network Interface. Also facing towards customer but this port can support
STP, CDP and Etherchannel protocols.

NNI – Network Node Interface. Sometimes also called network to network interface. This port
is facing upstream towards the core. This port has support for STP, CDP and Etherchannel

Lets take a look at the topology we are using which is the INE SPv3 topology. Here we are
focusing on 2 routers connected to a ME3400 switch.

By default the ME3400 behaves a bit different than other Catalysts. Let us take a look at
those defaults.

SW1#sh int status

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/1                        disabled     1            auto   auto 10/100BaseTX
Fa0/2                        disabled     1            auto   auto 10/100BaseTX
Fa0/3                        disabled     1            auto   auto 10/100BaseTX
Fa0/4                        disabled     1            auto   auto 10/100BaseTX
Fa0/5                        disabled     1            auto   auto 10/100BaseTX
Fa0/6                        disabled     1            auto   auto 10/100BaseTX
Fa0/7                        disabled     1            auto   auto 10/100BaseTX
Fa0/8                        disabled     1            auto   auto 10/100BaseTX
Fa0/9                        disabled     1            auto   auto 10/100BaseTX
Fa0/10                       disabled     1            auto   auto 10/100BaseTX
Fa0/11                       disabled     1            auto   auto 10/100BaseTX
Fa0/12                       disabled     1            auto   auto 10/100BaseTX
Fa0/13                       disabled     1            auto   auto 10/100BaseTX
Fa0/14                       disabled     1            auto   auto 10/100BaseTX
Fa0/15                       disabled     1            auto   auto 10/100BaseTX
Fa0/16                       disabled     1            auto   auto 10/100BaseTX
Fa0/17                       disabled     1            auto   auto 10/100BaseTX
Fa0/18                       disabled     1            auto   auto 10/100BaseTX
Fa0/19                       disabled     1            auto   auto 10/100BaseTX
Fa0/20                       disabled     1            auto   auto 10/100BaseTX
Fa0/21                       disabled     1            auto   auto 10/100BaseTX

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/22                       disabled     1            auto   auto 10/100BaseTX
Fa0/23                       disabled     1            auto   auto 10/100BaseTX
Fa0/24                       disabled     1            auto   auto 10/100BaseTX
Gi0/1                        notconnect   1            full   1000 1000BaseSX SFP
Gi0/2                        notconnect   1            full   1000 1000BaseSX SFP

As you can see all the ports facing downstream are disabled by default. Not a big deal
but it’s a bit differen than what we are used to. The ports facing upstream(uplinks) are
enabled by default.

Now we take a look at the default port types.

SW1#sh port-type
Port      Name               Vlan       Port Type
--------- ------------------ ---------- ----------------------------
Fa0/1                        1          User Network Interface           (uni)
Fa0/2                        1          User Network Interface           (uni)
Fa0/3                        1          User Network Interface           (uni)
Fa0/4                        1          User Network Interface           (uni)
Fa0/5                        1          User Network Interface           (uni)
Fa0/6                        1          User Network Interface           (uni)
Fa0/7                        1          User Network Interface           (uni)
Fa0/8                        1          User Network Interface           (uni)
Fa0/9                        1          User Network Interface           (uni)
Fa0/10                       1          User Network Interface           (uni)
Fa0/11                       1          User Network Interface           (uni)
Fa0/12                       1          User Network Interface           (uni)
Fa0/13                       1          User Network Interface           (uni)
Fa0/14                       1          User Network Interface           (uni)
Fa0/15                       1          User Network Interface           (uni)
Fa0/16                       1          User Network Interface           (uni)
Fa0/17                       1          User Network Interface           (uni)
Fa0/18                       1          User Network Interface           (uni)
Fa0/19                       1          User Network Interface           (uni)
Fa0/20                       1          User Network Interface           (uni)
Fa0/21                       1          User Network Interface           (uni)
Fa0/22                       1          User Network Interface           (uni)
Fa0/23                       1          User Network Interface           (uni)
Fa0/24                       1          User Network Interface           (uni)
Gi0/1                        1          Network Node Interface           (nni)
Gi0/2                        1          Network Node Interface           (nni)

All downstream ports are UNI by default and the uplinks are NNI by default. By default
the UNI ports can only communicate with NNI ports. This is very similar to how private
VLAN works very the isolated ports can only communicate through a promiscuous port.

The VLANs in the ME3400 are a bit different, they are called UNI-VLANs and by default
they work as isolated ports in private VLAN. That means that two UNI ports can’t
communicate directly even if in the same VLAN.

We will setup the ports towards the routers as access. On the ME3400
there are no dynamic modes so you need to set static or trunk or dot1q-tunnel
and also there is no support for ISL so there is no need to set the encapsulation.

SW1(config)#vlan 2
SW1(config-vlan)#int range f0/1 - 2
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport access vlan 2

We configure IP addesses on R1 and R2 and then we will try to ping between them.

R1(config)#int f0/0
R1(config-if)#ip add
R1(config-if)#no sh

And then the same on R2 with an IP of We check the status of the
switchport for R1.

SW1#sh int f0/1 swi
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 2 (VLAN0002)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Capture Mode Disabled
Capture VLANs Allowed: ALL

Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

It is set to access as expected and you can see that the port does not support
DTP. Now we try to ping between R1 and R2.


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

That was not successful. Do we see any MAC addresses?

SW1#sh mac add vlan 2
          Mac Address Table

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0180.c200.0000    STATIC      CPU
 All    0180.c200.0001    STATIC      CPU
 All    0180.c200.0002    STATIC      CPU
 All    0180.c200.0003    STATIC      CPU
 All    0180.c200.0004    STATIC      CPU
 All    0180.c200.0005    STATIC      CPU
 All    0180.c200.0006    STATIC      CPU
 All    0180.c200.0007    STATIC      CPU
 All    0180.c200.0008    STATIC      CPU
 All    0180.c200.0009    STATIC      CPU
 All    0180.c200.000a    STATIC      CPU
 All    0180.c200.000b    STATIC      CPU
 All    0180.c200.000c    STATIC      CPU
 All    0180.c200.000d    STATIC      CPU
 All    0180.c200.000e    STATIC      CPU
 All    0180.c200.000f    STATIC      CPU
 All    0180.c200.0010    STATIC      CPU
 All    ffff.ffff.ffff    STATIC      CPU
   2    0008.7dab.e408    DYNAMIC     Fa0/1
   2    0008.7dab.e808    DYNAMIC     Fa0/2
Total Mac Addresses for this criterion: 22

Yes, that is not the issue. Are the ports forwarding in spanning tree?

SW1#sh span vlan 2

Spanning tree instance(s) for vlan 2 does not exist.

No spanning tree? Remember, spanning tree does not run on UNI ports. The reason is
UNI ports can’t communicate with each other without going through a NNI port. So
how can we resolve so that R1 and R2 can ping each other? We can set one port to

SW1(config)#int fa0/1
SW1(config-if)#port-type nni


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Yes, that solved it. Now spanning tree is running on Fa0/1 because we changed
the port-type to NNI.

SW1#sh span vlan 2

  Spanning tree enabled protocol rstp
  Root ID    Priority    32770
             Address     0022.91d7.9480
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32770  (priority 32768 sys-id-ext 2)
             Address     0022.91d7.9480
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Desg FWD 19        128.3    P2p


What if we can’t change the port-type? What else can we do? We can change the VLAN type.

SW1(config)#int fa0/1
SW1(config-if)#port-type uni
SW1(config-if)#vlan 2
SW1(config-vlan)#uni-vlan ?
  community  UNI/ENI community VLAN
  isolated   UNI/ENI isolated VLAN

SW1(config-vlan)#uni-vlan community
SW1#show vlan uni-vlan

VLAN Type              Ports
---- ----------------- -------------------------------------------------------
2    UNI community     Fa0/1, Fa0/2, Gi0/1, Gi0/2


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

So that works as well. By default UNI to UNI won’t communicate but we can change that
as you just saw. Note that spanning tree is not running now. This could potentially
lead to a loop.

SW1#sh span vlan 2

Spanning tree instance(s) for vlan 2 does not exist.

To help protect against that we can change the ports to ENI and enable spanning tree
on them. We can also enable CDP so that the routers can see what they are connected to.

SW1(config)#int range f0/1 - 2
SW1(config-if-range)#port-type eni
SW1(config-if-range)#cdp enable

SW1#sh span vlan 2

  Spanning tree enabled protocol rstp
  Root ID    Priority    32770
             Address     0022.91d7.9480
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32770  (priority 32768 sys-id-ext 2)
             Address     0022.91d7.9480
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Desg FWD 19        128.3    P2p
Fa0/2               Desg FWD 19        128.4    P2p

So by default this is how the traffic behaves on a Catalyst ME3400.

Now you know a bit more than before about the ME3400. It’s a nice switch and if you learn
the defaults you will figure it out pretty quickly.

A look at access to distribution block designs

November 7, 2012 12 comments

So I’ve just started to read the ARCH book and I want to do some posts to help with
my understanding but I’m also very interested in hearing from you readers what
kind of design you like and why. Post in the comments which design you would prefer
and why you prefer it.

So this post is about designing the access to distribution layer. I will show a
couple of different ways of designing this block and give my point of view on
the advantages and disadvantages of each.

First out we have the layer 2 loop free design.

The links between the access and distribution layer are layer 2 trunks but the
link between the distribution switches is layer 3.


All links are forwarding.
No bridging loops possible.
Fast convergence, only dependent on FHRP.
Load balancing possible by tweaking STP and FHRP.


Can’t stretch VLANs across multiple switches.
FHRP traffic must pass through the access layer switch.

This is a good design because we have no layer 2 loops. This also means that we
will have faster convergence in case of a failure since we are not relying on
spanning tree to reconverge. Often it is not possible to use this design because
we have the need to stretch VLANs across multiple switches. Maybe we always have one
VLAN for management, or the same VLAN is used for voice or some requirement like that.
That would keep us from using this design.

Then we have the layer2 loop design. This is the traditional design that is probably
most commonly deployed.


Can use any VLANs we like and stretch them across multiple switches.


Possibility for bridging loops.
Dependent on both STP and FHRP convergence.
Not all links forwarding.

So this is the one most of us uses I think. It’s easy and comfortable and you can
spread your VLANs. You pay by risking bridging loops and you aren’t utilizing
all of your links.

Then we have the layer 3 routed access design.


No risk of bridging loops.
Spanning tree not necessary on ISLs.
Fast convergence.
No need for FHRP.


More expensive solution to run layer 3 in access layer.
Can’t span VLANs across multiple switches.

This solution is really nice if you can fit it in your budget. You will only rely on IGP
for convergence and you get rid of spanning tree almost entirely. You also don’t need
to run a FHRP since now your default gateway is on the access layer device.

If we have Catalyst 6500 with VSS or something like stacked 3750s in the distribution
layer then we can run a Multichassis EtherChannel (MEC) which would make the two links
to the distribution appear as one logical and we would have more bandwidth and no
blocking links. It would look like this.

So now I’m interested in hearing from you readers which one you like best and which
one you use. Argument why you prefer the one that you use. Are you seeing much layer 3 in
future designs or are you still stuck with L2?

CCDP on the horizon

November 6, 2012 8 comments

So I’m enjoying the time at home with my family. It’s great not having to spend
all the evenings studying.

That said I can’t just slack off and do nothing. I still want to learn. I have
a commute to work and I’ll spend that time studying for CCDP.

Why CCDP? I’m already a CCDA and my work involves doing designs so it won’t
hurt to go deeper in that direction. From what I’ve seen so far the CCDP seems
far more interesting than the CCDA.

I’ll try to write about things I pick up from the book. I don’t always agree 100%
with the book and in those cases I might write about it here and argue why I
don’t agree with the book.

Hope you guy guys are sticking around for my next journey πŸ™‚

Categories: Announcement, CCDP Tags: ,

Becoming a CCIE – the path and cost associated to my number

November 2, 2012 40 comments

While on IRC I had a request to describe my journey and the costs associated with becoming
a CCIE. Becoming a CCIE is not cheap but I’ve worked for great companies that have covered
all of my costs.

I first started studying for the written back in the summer of 2010. All my posts from back
then are still available in the archives. My strategy for the written was to build a strong
foundation to stand on beforing moving on to labs. I did not want to fast forward through
the written just to get on to the labs. Remember that the CCIE lab is about thinking at a
CCIE level, it is not about commands. You need to read for the CCIE, a lot! If you don’t like
reading then I’m sorry but this exam is not for you. I’ve probably read close to the
amount of someone becoming a doctor if I count the pages of everything I’ve read so far.
Here are some of the books that I read for the written and the costs associated with them:

Interconnections: Bridges, Routers, Switches, and Internetworking Protocols

TCP/IP Illustrated, Vol. 1: The Protocols

Internetworking with TCP/IP Vol.1: Principles, Protocols, and Architecture (4th Edition)

CCIE Routing and Switching Certification Guide (4th Edition)

Routing TCP/IP, Volume 1 (2nd Edition)

Routing TCP/IP, Volume II (CCIE Professional Development)

Developing IP Multicast Networks, Volume I

Sum of books for the written: 382$

In January of 2011 I went to take the written exam. The exam went good and I passed. It
was a bit different than the NP level exams but that was to be expected. The cost for
the written is 350$ Add that up with the cost of the books and you are looking at 732$
to get your ticket to the lab.

I needed to get some vendor workbooks and I decided to use INE due to their reputation and
instructors that were in place. I was able to pick up all the workbooks for something like
399$ on some deal.

I read Petr at INEs post on how to study for the CCIE lab exam

I decided to use the 12 month program because I was in no hurry and time is scarce when
you have kids. Basically you start out with doing all the core labs like the essential
features of the routing protocols which makes up the core knowledge you must have before
starting to do the full scale Vol2 labs. I was able to do most of the labs in Dynamips.
I converted the INE configs to Dynamips with a sed script that I’ve shared on my site earlier.
If you look at IEOC (INEs forum) you can find a user called relativitydrive that has already
converted all the configs for you if you want to run Dynamips.

For the switching tasks you need to either rent a rack or to buy your own switches and hook
them up to your Dynamips topology. My UK friend Darren has a nice post on how to connect
switches to your Dynamips topology

I used rack rentals to practice the switching scenarios. I don’t know exactly how much I
spent on rentals but maybe around 500$

After I had done the Vol1 labs I started with Vol2. I was shocked, first of all the
diagrams and having to configure VLANs just from a diagram was a new experience for
me as for most. Also things like configuring OSPF which I felt pretty comfortable with
I could not even complete all those tasks. Expect to be crushed! Everything you thought
you knew will be put to test. CCIE is a whole different level than most of us are used
to so keep your head up even though you will be crushed the first couple of times you
do a Vol2 lab.

There are a few different ways you can do a Vol2 type lab. Either you do all the tasks
you think you can solve in one run and then you come back and look at the things you
could not solve. Or you do the tasks you can and then you peak at the SG for the
things that you could not solve yourself. You need to find what works best for you but
don’t be too worried about speed in the beginning. That will come in time, trust me.
What you should do straight away is abandon Google, no more Google for you my friend!
To find anything you want to reference you need to go to the DOCCD. You will eat, drink
and breathe the DOCCD until you pass the lab so get used to it πŸ™‚ Basically you will
be going to the IOS 12.4T section or to the 3560 switches. The DOCCD is located here.
INE has a free Vseminar on how to use the DOCCD.

Some people see the written and the lab as two entirely different beasts. I don’t think about
it that way because you are still working towards an end goal and that is to become a CCIE.
What you don’t want to do is stop reading just because you are labbing. You need to do
both. Don’t forget to use the RFC as sources, they are a resource you should tap into.
I can’t remember everyone that I read but these are some major ones.

RFC 791 – Internet Protocol
RFC 826 – An Ethernet Address Resolution Protocol
RFC 2328 – OSPF version 2
RFC 4271 – A Border Gateway Protocol 4 (BGP-4)
RFC 3031 – Multiprotocol Label Switching Architecture
RFC 4594 – Configuration Guidelines for DiffServ Service Classes
RFC 4577 – OSPF as the Provider/Customer Edge Protocol for BGP/MPLS IP Virtual Private Networks (VPNs)

This is a free resource and the RFCs are written by some of the smartest people in
the industry so don’t forget to use them.

If you decide to go for INE then don’t forget to use IEOC which is the
user community (forum) where you can ask questions about labs and most of what you
want to ask will already have been asked by someone previously. You will probably
find my face on a lot of threads in there πŸ™‚

When you do Vol2 labs don’t be too strict about grading yourself. Your solution can be just as
valid as long as you don’t break any restrictions. Also try to get into the habit of doing
alternate solutions and throw some extra stuff in there to make you think a bit more. When
you start a lab you should not start typing immieditaly. Read through the entire lab and
look for dependencies. Do you need to run IPv6 on 3560? Might as well change the SDM
profile and reload at once. You don’t really want to reload when you have a stable
topology. While the switches are reloading you can do your VLAN config in Notepad or
something else. The CCIE lab is about being smart and effective, typing fast helps
but is not necessary to pass the lab.

Troubleshooting is a big part of the CCIE lab. You have a 2h session with just
troubleshooting and expect to at least mess something up during your config section
as well. Many people ask: How do I learn troubleshooting? The answer is: You don’t!
You can’t just practice troubleshooting like it was a separate skill. You need to
know the protocols! In some ways the troubleshooting is more difficult because you
already have a network running and you must understand what is going on in it.
You need to use the right tools and you need to know how the output looks like.
Sometimes you might have to match output to get something correct.

INE has some cool stuff coming up with their new TS racks. Other than that
I recommend that you make troubleshooting something you do regularly.
If you get stuck on something try to figure it out by yourself first and
use the proper tools before looking for a simple solution. What I did before my
2nd lab attempt was to configure a lof of different technologies like OSPF, EIGRP,
MPLS, BGP, Multicast etc etc. I made a working topology, this in itself is
good practice. If you can’t configure a topology without someone holding your hand
then your are not ready. Then I would try to break things and looked at what happened.
For MPLS, what happens if you disable CEF? What happens when you have a duplicate RID
in OSPF? Is the behaviour the same when you are running EIGRP? This worked very well
for me and for my last 2 attempts I had no issues with the TS section.
Always remember that the network was functioning and then something was altered
to make it break. You need to solve the core issue and not work around the issue.

As I mentioned earlier you don’t want to stop reading books just because you are labbing.
Here are some of the books I read for lab preparation:

OSPF: Anatomy of an Internet Routing Protocol

QOS-Enabled Networks: Tools and Foundations

Practical BGP

Interdomain Multicast Routing: Practical Juniper Networks and Cisco Systems Solutions

MPLS-Enabled Applications: Emerging Developments and New Technologies

So that is another 268$ of books. Now I did not actually buy all these books. I got a Safari
account as well which is really nice. It costs a bit but then you have all the books you need.

Every lab attempt costs around 1800$ I need to go fly to Brussels and spend one night there.
Flying usually costs around 500$ Room for a night maybe 250$ Then you need to eat
something and maybe get a cab etc. So each attempt costs around 2600$

I passed in my 3rd attempt so that is 2600$ * 3 = 7800$

If we sum it all together:

Books 650$
Written exam 350$
Workbooks 399$
Rack rental 500$
3x lab attempts 7800$

Sum: 9699$

I did not include the bootcamp in this since I consider that
optional. But everyone needs books/workbooks and of course to take the tests. If you
live nearer a testing center you can save some on the lab attempts. Hopefully you can
pass in your first or second attempt but the average is somewhere around two to four
attempts before passing. So before starting your journey you should budget for 10-15k
to earn your CCIE. Hopefully if you are lucky as I have been your employer will fund
some/all of the costs but that is no given.

Finally, there is really no way of knowing when you are ready to go to the lab except
for going to the lab and finding out. Mock labs will give you some rough guidance
but it’s not 100% accuracte because you can never simulate the stress fully. What
I do recommend is that you try to get as comfortable as possibly by simulating the
test environment. Practice using only one monitor, use PuTTY, use a US keyboard.
Check out the lab exam demo before you go to the lab. Anything that can help
easen the stress a bit on the lab day will be good.

I hope this post gave you some insight to studying and that becoming a CCIE is
indeed expensive. Hopefully it is all worth it in the end πŸ™‚