If you’re working on your CCIE Collaboration studies, you’ll want to look into our new CCIE Collaboration Written VOD :: Next Gen as a starting point!

During this high-definition, studio-recorded video course, you’ll watch Andy Vassar (CCIE x3 :: Collaboration, Voice and R&S) explain the theory, and conduct white boarding on nearly every protocol or technology that you’ll encounter on the CCIE Collaboration written exam.

Throughout the day today purchase our CCIE Collaboration Written VOD :: Next Gen and receive 50% off the list price of $699 (Streaming).Be sure to use coupon code “LaborDayCollabWr“.

Our iPeverything™ subscription is the industry’s most up-to-date and complete learning subscription for any of the 5 CCIEs, CCNPs and CCNAs that we teach. (R&S, Data Center, Collaboration / Voice, Wireless and Security tracks)

2-Year Promotion:

Through September 2nd when you purchase a 2-year iPeverything™ subscription, you’ll have the option to receive ONE the following rack voucher packages free:

• 200 4-hour R&S sessions
• 150 4-hour Security sessions
• 100 4-hour Wireless sessions
• 75 4-hour Collaboration sessions
• 25 4-hour Data Center sessions

1-Year Promotion:

Purchase a 1-year iPeverything™ subscription, and you’ll be provided with one of the CCIE Rack Voucher packages :

• 75 4-hour R&S sessions
• 50 4-hour Security sessions
• 50 4-hour Wireless sessions
• 25 4-hour Collaboration sessions
• 10 4-hour Data Center sessions

*Note: Your vouchers will be added to your Member’s Account the following business day.

There’s NEVER been a more up-to-date and cost-effective CCNA and CCNP video training library!

This weekend, purchase our 1-year iPvideo™ pass subscription for just $199.00, and save $100. Just use coupon code “LaborDayiPvideo“.

What’s included:

• Streaming access to the following VoD courses:
  • CCENT
  • CCNA R&S
  • CCNP R&S
  • CCNA Data Center
  • CCNP Data Center (DCUFI)
  • CCNA Voice
  • CCNP Voice
  • CCNA Wireless
  • CCNP Wireless
  • CCNA Security
  • CCNP Security
• 50% off of video downloads
• Access to our entire CCNA and CCNP Audio on Demand Lecture Library
• Access to our entire CCNA and CCNP Online Test Prep Quizzer Library

*Note: Must pre-pay and purchase the 1-year subscription for iPvideo, monthly subscriptions will not qualify you for this promotion.

When a service provider is providing a customer with a L3 VPN service, the CEs are most of the time owned, controlled and managed by the service provider.

The end customer can be allowed to poll via SNMP its CEs for RO information but the configuration, the backup, the monitoring is all performed from the service provider management systems. All those management systems (TFTP, syslog, image repository, monitoring system, steppingstone, NTP….) are located on the service provider management LAN.

The loopbacks of the CEs used for the management are part of the customer VRF routing table and each customer VRF has its own routing table. We have to bear in mind that isolation from one customer VPN to another customer VPN has to be preserved at any time. How can the service provider access in a simple and secure way CE loopback addresses that are part of different VRFs? Let’s solve it.

I’m using the following MPLS network to illustrate the solution:

The Management LAN 192.168.128.0/25 is connected to a management CE called MCE1. The Management CE is part of the VRF SP_Management.

The VRF configuration on the PE2 is the following:

The CE1-CustA is part of VRF Customer_A. The management IP address of CE1-CustA is the loopback0 10.255.255.1.

The CE3-CustB is part of VRF Customer_B. The management IP address of CE3-CustA is the loopback0 10.255.255.3.

The CE9-CustA is part of VRF Customer_A. The management IP address of CE9-CustA is the loopback0 10.255.255.9.

Those CE management IP addresses have to be unique among all the customers and therefore will be allocated from a range managed by the service provider. This range of CE management IP addresses cannot be re-used in the VPN of the customers. The management network of the service provider is routed in every customer VRF and thus cannot also be re-used in the VPN of the customers. It is therefore the responsibility of the Service Provider to clearly communicate this restriction to the VPN customers.

The configuration on the PE5 is the following:  

The configuration on the PE6 is the following: 

To enable the connectivity between the CE loopbacks and the network management LAN, we are first going to import in the VRF Customer_A and Customer_B all the routes with the route-target 1000 that are present in the management VRF SP_Management.

The configuration on the PE5 is the following:

The configuration on the PE6 is the following:

The network management 192.168.1.128/25 is now present in the BGP database and the routing table of VRF Customer_A and Customer_B.

Now we have to ensure that there is a route back from the management network to the CE loopbacks. We create a new route-target of 1001 which is going to be used for importing only the leaking routes in VRF SP_Management. The loopback0 of the CEs will be in exported and tagged with the BGP attribute of 1:1001 in addition to the BGP attribute of the route-target of the Customer VRF. The CE loopback of a customer VRF will therefore be present in the BGP database of this customer VRF and of the management network VRF.

The following configuration is applied on PE2: 

The following configuration is applied on PE5: 

The following configuration is applied on PE6:

We can now ping from the MCE1 to the loopback0 of the CEs:

Only the loopback of the CEs is routable. This looks safe and finished  but there is still a denial of service possibilities!

First security breach: When an ICMP echo is sent to a network management LAN device from the Customer_A VRF with a spoofed IP address of 10.255.255.3 (loopback0 of a Customer_B CE), the ICMP echo-reply will be sent to the loopback0 of Customer_B CE. As a result, from the customer_A network, you could orchestrate a denial of service attack on Customer_B CE. This is not imaginable and unacceptable for a service which is supposed to hermetically separate the networks of different customers!

In order to mitigate this, we have to configure the RPF check on the PE to CE connections.

The following configuration is applied on PE5: 

The following configuration is applied on PE6:

Second security breach: We cannot access the network management LAN from all other customer networks outside the Loopback0 because there is no route back for any other network in the network management VRF.  However, the packets are still reaching the network management LAN and a denial of service attack could be orchestrated from a customer LAN to the network management system of the service provider. In order to avoid this, we will be hardening our design by placing an access-list on each CEs.

The following configuration is applied on CE1-CustA:

The following configuration is applied on CE3-CustB:

The following configuration is applied on CE9-CustA:

With this configuration in place, a service provider can in a secure way manage the CEs from a centralized management LAN.

Laurent Metzger
CCIE Data Center and R&S Instructor
CCIE #13538 (Data Center, R&S, and Storage) VMware, VCP5

About Laurent:

Laurent, a triple CCIE, has been working in the telecommunications industry for over a decade. He has extensive hands-on experience supporting and troubleshooting some of the largest networks in France, the Netherlands, Spain, and Switzerland, with a primary focus on MPLS/VPN service provider, and Cisco Data Center networks and technologies. Recently, he has been a Sr. Network Architect for highly-visible corporations in Switzerland, where he has designed, installed, supported, and trained on various data center technologies, including LAN-SAN convergence, virtualization, hybrid cloud solutions, and inter-DC communication. He will be responsible for teaching iPexpert’s CCIE R&S and CCIE Data Center classes throughout the US, London, Amsterdam, Brussels, Zurich, and Milan, and is also assisting in self-study workbook development and technical support.

CCIE R&S V5 Lab Bootcamp Update

We’re excited to announce MORE enhancements to our CCIE R&S V5 Bootcamps!

Pricing Update – Our pricing for our 10-day CCIE R&S V5 Bootcamp has been reduced to $3,499. We understand that your CCIE R&S journey is typically paid for by the individual, and we’re committed to offering the absolute BEST CCIE R&S training possible at the most affordable rate! Student Racks :: Major Enhancement! – We’ve just completed the installation of 68 FULL CCIE R&S student racks (Our self-study workbooks and VoD are also designed around this toplogy, which can be rented online!) These racks have been massively expanded to reflect the topology you may expect to see on the real lab. Each student will have access to this new topology, which consists of 36 2900 series ISR routers, running 15.4(1)T, 8 Catalyst switches running 15.1 code, 7 additional ISP routers (used to provide the SP BGP backbone), and 3 additional backbone routers (for miscellaneous route injections). You won’t find a better, more complete and more realistic R&S topology in the CCIE training space! Included in Your Bootcamp Purchase – We’re quite excited to have the most appealing CCIE R&S bootcamps, at a cost-effective price, but it doesn’t stop there. When you purchase a CCIE R&S Bootcamp, you’re also given access to EVERY SINGLE CCIE training resource we have in our portfolio – for every CCIE track (2-year subscription!). Included in your bootcamp purchase is:

• A free subscription to iPeverything™
• The Volume 1 and Volume 2 workbooks and Detailed Solution Guides for the track you’re studying for.
• Access to every CCIE Written, CCIE lab, CCNP and CCNA VoD course.
• Access to every audio on demand lecture for all CCIE, CCNP and CCNA tracks.
• Access to every CCIE written, CCNP and CCNA quizzer.
• Free online vLecture access for ALL certifications / all tracks.
• Free online workbook mentoring for ALL certifications / all tracks.
• VIP support from within iPexpert’s Member’s Only Support Community.
• Retake Policy – Our retake policy is quite simple. While other CCIE training vendors charge upwards of $1,000 for a “rack rental fee”, we don’t. In fact, not only are our retakes FREE, but you can retake a bootcamp (either live or online) until you pass your lab! We’re committed to your success, and feel quite confident that our CCIE R&S bootcamp will be able to get you over the hump, and help you earn your CCIE number!

CCIE R&S Bootcamp Dates and Locations – Seats are filling up fast. If you’re interested in reserving a future course seat you can do so on a payment plan, or you can purchase a bootcamp voucher and select your date later. Our current 10-day CCIE R&S bootcamp schedule is as follows:

• Sept 15-26 – RTP
• Oct 20-31 – RTP (Just Added!)
• Nov 10–21 – RTP
• Dec 8-19 – Online
• January 12–23, 2015 – San Jose
• Feb 16–27, 2015 – Naples, Florida
• March 16-27, 2015 – RTP
• April 13–24, 2015 – Online
• May 4-15, 2015 – San Jose
• June 15–26, 2015 – Chicago

We’re quite confident that we’ve got the best CCIE R&S V5 bootcamp on the market. Not only is our instructor a dual CCIE (R&S and DC), and a published Author (CCIE Routing and Switching v5.0 Official Cert Guide Library), but you won’t find the level of commitment, and supplemental tangibles that we include (self-study included, free / unlimited retakes and the most accurate / “lab like” topology on the market)! If you’re interested in passing your CCIE R&S V5 lab exam – we WILL help get you there! Book Your R&S V5 Seat Now!

CCIE R&S V5 Self-Study Development Update & Timelines

We’d like to give a quick update on the remaining CCIE R&S V5 self-study products. We’ve been diligently working on our content, but have taken some additional time to ensure that these are the absolute best R&S V5 products on the CCIE training market! Of course, all of these products can be purchased individually, or you will gain access to all of our CCIE training resources and updates (as well as CCNA and CCNP) if you are an iPeverything™ subscriber.

• CCIE R&S V5 Volume 1: Technology Workbook): All 45 technology labs are now completed. Over the next 90 days we will be rolling out our Detailed Solution Guide for these labs (on a weekly basis). We’re putting a wealth of effort into ensuring that these DSGs are as detailed as possible. In the meantime, please use our Member’s Only Support Community to ask any technical questions you may have. Our instructors and developers monitor this community and will assist you with any issue you may have.
• CCIE R&S V5 Volume 2: Mock Lab Workbook): Our first 2 8-hour Volume 2 mock labs will be released this month. These will consist of all 3 sections in the R&S lab (Troubleshooting, Diagnostics, Lab) and have been written around our new V5 R&S topology, which will go live September 12th.
• CCIE R&S V5 VoD: We’ve released approximately 60 hours of new V5 content, and will be adding material on a weekly basis. All CCIE R&S video content is being re-recorded around our full-scale V5 topology, and we anticipate the final product being approximately 150 hours of material covering every single bullet on the V5 blueprint.
• CCIE R&S V5 Racks: We’ve just finished the installation and testing of an entirely new R&S V5 topology consisting of 36 2900 series ISR routers, running 15.4(1)T, 8 Catalyst switches running 15.1 code, 7 additional ISP routers (used to provide the SP BGP backbone), and 3 additional backbone routers (for miscellaneous route injections). This topology will be the standard topology used in our self-study products as well as in our CCIE Routing and Switching Bootcamps. These racks will be made available to the public September 12th.

Interested in CCIE R&S V5 Self-Study Material?, Our Training Advisors Are On Standby As always, a dedicated Training Advisor is on standby and can answer any questions you may have or even assist you with a custom training program or group discounts. To reach one of our TAs, please select your option of communication below:

• Live Chat
• Email
• Phone: +1.810.326.1444
• Group / Corporate Discounts

Mobile CCIE Labs are currently only available for the CCIE Routing & Switching, CCIE Security and CCIE Service Provider Lab Exams

Cisco has introduced the mobile lab program to provide candidates greater access to Lab testing while greatly reducing travel time and expenses. Mobile CCIE Labs provide a convenient and cost-effective method for candidates to test for CCIE Routing and Switching, CCIE Security and CCIE Service Provider in areas which do not have permanent lab locations.

The Mobile CCIE Lab reduces the need for costly travel, hotel, passport, and visa fees, missed days of work and the need to leave the country to take the CCIE Lab exam.

Map of Cisco Lab Locations and proposed Mobile Labs

Scheduled Dates and Locations

Note: Dates with an “R” Status are confirmed events with location information. These events are available for open registration.

Status Legend:

N = New date and location, event is not confirmed

R = Confirmed events and are available for open registration, it does not indicate availability. You must Login to the CCIE Database to view availability and register for lab exams.

P = Postponed

C = Canceled, due to low enrollment

+ = For questions related to this cancellation please open a case with www.cisco.com/go/certsupport.

• Mobile labs can be scheduled up to 8 months in advance, which is the same policy for the traditional CCIE permanent lab locations.
• For your reference we have an archive of Past and Cancelled Mobile Lab dates.
• We reserve the right to cancel any event if the registrations do not meet the minimum requirements.

Mobile Lab FAQs 

How Do I Get Started?

• For information on registering for a CCIE Mobile Lab event or for additional information about the CCIE Mobile Lab program, visit the Certification Online Support tool.
• Get Instant Answers to Frequently Asked Questions on the Mobile CCIE Labs
• View the Discussion The specified discussion was not found.

Please Join us in congratulating the following CCIEs on their great achievement;

• Niles Pyelshak, CCIE #44608 (Data Center)
• Fredy Jonathan Tafolla Salgado, CCIE #38067 (Voice, Security, Data Center)

Fredy Jonathan Tafolla Salgado, CCIE #38067 wrote:
I finally got my CCIE DC. I bought the WB Vol.I and Vol.II for CCIE Data Center. I was practicing the technology labs and after that the 8-Hour Mock labs.The labs are very good, because covers all the topics in the blueprint needed to understand the technology. Thanks for All iPEXPERT!!!”

Have you recently passed your CCIE lab exam using iPexpert’s products (within the last 6 months)? If so, we’d like to hear from you! Please submit your testimonial to success@ipexpert.com including your name, CCIE number, the track, what products or class you used to help you achieve your goal and a few sentences on how our products assisted you. We will be sending out a special gift to all who participate.

Probably one of the most frequent and common questions I get is how to approach studying for the CCIE Data Center lab exam. So, I thought to myself, why not write a blog that I can just point people to!

After typing out, or explaining, the same preparation strategy a few hundred times, I decided writing something, somewhat official, might be the best course of action. So here it goes! Be mindful though, there is no “wrong” way to study. Not any one method will fit every candidate, so you have to be flexible and identify what will work for you both professionally and personally.

Now, I urge you to first think about this – How much time can you actually dedicate to studying? Be reasonable here. If you work full time, and have a family, you’re probably not going to be able to study 8 hours a day. A reasonable expectation, at least for someone under those circumstances, is to allocate approximately 2 to 3 hours a day. In my case, it was after I put my kids to bed, from about 8 to 11 PM every weeknight. I also hate putting numerical values around total studying hours with regards to these exams. So I’m not gonna to sit here and tell you that you need at least x-so-many hours of studying to pass this test. One candidate could put in 500 hours, and have a boatload of on-the-job experience that puts them in a good position to pass the exam. Another candidate may come in relatively green in all of the subject areas, and it may take them 1000 hours or more of prep time to finish, so it varies greatly depending on the candidate background and existing knowledge of Cisco technology. My methodology doesn’t necessarily base itself around total study hours, but rather a way to track through the technologies themselves.

The first thing I will say, is to go take and pass your written! That old theory of “oh I will just wait until I am ready for the lab to take my written,” is long gone! The theory behind that was that you could pass your written really late in the game, and then immediately schedule your lab and have plenty of cushion in that 18 month window. Guys, guess what…the available lab dates in both US locations (Exhibit A) are out till next February! So please, get out there, pass the written, and schedule your lab! Trust me, you don’t want to get to that “ready” state, and then have to wait 7 months for your day.

Exhibit A

San Jose

RTP

Now, once you have a lab date set, you can invoke what I call backwards planning. This means that you can plan, from the date of your lab, back to the current date, and schedule your studying accordingly. I personally gave myself a 2-week window from my lab date to do mock labs and run-throughs. From there, I gauged myself. I urge you to do the same. Download the blueprint from Cisco’s website, and use this to plan your preparation strategy accordingly around the technologies and topics seen there.

Take those topics and copy then into something like excel, evernote, onenote…something. A lot of people I know like to create a single tab / notebook in one of those programs for every line item so that they can take notes. Once you have had an honest look at the curriculum figure out where you are the strongest, and where you are the weakest. I personally had been doing so much with NX-OS, that I gauged I was by far the strongest in that category, and the weakest in storage, so I pushed those strong areas to the end of my study regime. From here I tried to dedicate an entire week to a particular topic, so I opened up a new Google account and utilized Google Calendar for this. I marked my lab date, and started planning. Again, my strongest topics were the ones I would cover, if I had time, the closest to my date. In the end it ended up kind of looking like this:

• Week 1 – Fibre Channel Basics (101) and oversubscription – section 2.0/2.1.f
• Week 2 – FC port-channels, Cisco ISL, and trunking – section 2.1a
• Week 3 – VSANs, enhanced and basic zoning – sections 2.1b-c
• Week 4 – FC domain parameters – section 2.1d
• Week 5 – FC security features – Section 2.1.e

Now this was just a part of it… I did that for every line item. This allowed me to create my own “curriculum” around those specific topics. I found it best to go through a regimen of watching iPexpert’s VOD for the individual technologies. I would watch the entire video, and then I would read as much as I could on the topic. This included white papers, configuration guides, blogs, and traditional books. I think you guys know how to parse the internet for information, but book compilations I always found useful, so here were my top 5 for CCIE DC studies:

1. Data Center Virtualization Fundamentals by Gustavo Santana – Gustavo easily became one of my favorite Cisco Press authors with this book (he joined the company of Wendall Odom here J). The book is about as close as an end-to-end guide for the DC track as there is out there, and it’s the only book I read end-to-end for this entire track!
2. Storage Networking Fundamentals (Vol 2.)  by James Long – This book is not for the faint of heart, or the storage newbie. It is packed full of protocol-specific information.  I found it extremely useful for referencing materials.
3. I/O Consolidation in the Data Center by Silvano Gai et all – This book is a definite resource for FCoE studying.
4. NX-OS and Cisco Nexus Switching by Ron Fuller et all – This book was great as well. It really gives you a good look into Nexus devices, and how the NX-OS systems operate, and are configured.
5. IBM Redbooks – Introduction to Storage Area Networks and System Networking – A free read on SAN’s and the protocols that they run on. It’s also a great reference for beginners to storage area networks.

After I had read until my mind was adequately numb, I found it time to lab. When labbing I tried to exclusively use iPexpert’s CCIE Data Center racks, which are accessible via Proctor Labs. At Proctor Labs, within the DC realm, we have one full-scale Mock Lab Rack that has everything needed for CCIE DC studies, and we have many technology racks which are perfect for 90% of your endeavors. (These racks contain 2 x Nexus 7k’s (VDC’s), 2 5548-UP, 2 x 2232 FEX’s, 2 x MDS 9216i’s, 1 C-220 M2 UCS server, as well as 2 Virtual Supervisors Modules for Nexus 1000v studies, and 2 UCS-PE’s for UCS training on emulated systems.) See Exhibit B additional details of both DC rack types.

Exhibit B

General Rack Interface Summary : Remote Control Tools

• All routers and switches can be controlled via the web with our GUI remote control system.
• You will not waste time on our racks… when you begin your session, your routers WILL BE set to the default (blank) setting.
• Web GUI access to all devices allowing you to start / stop / and revert to clean configurations.
• Each device can be power cycled by our RPC (Remote Power Control) system with a click of a button.
• Single Page Login (no need to telnet to rack’s terminal server). Login and begin using our online hardware instantly.
• Session Management (view scheduled time and reschedule without human intervention)

Technology Rack Details

Within our CCIE Data Center Technology racks, you will have access to the following devices / software:

• Nexus 7010
• 2 Non-Default VDCs
• 8 each N7K-F132XP-15 Ports
• 8 each N7K-M132XP-12L
• 2 Nexus 5548 with Layer 3 module
• Enhanced Layer 2 License
• FCoE NPV License
• Storage (Native FC) License
• 2 Nexus 2248TP
• 2 MDS9216i
• SAN Extension over IP License
• Enterprise Package License
• 1 Fibre Channel JBODs
• 2 UCSPE (Platform Emulators)
• 1 UCS C200 M2 rack servers
• Xeon X5670 2,93Ghz 6-cores
• 48GB RAM
• 2 450GB SAS 15k harddisks
• UCS P81E VIC card
• The 2 Nexus 7000 VDC’s can be configured to simulate extended distribution topologies and the ‘core switch’ layer within the network.
• Nexus 5548 will be used as a ‘Aggregation’ layer within the datacenter network. The Nexus 2k’s can be configured as FEX for the Nexus 5000 and simulated Fabric Interconnects for the UCS series server. The VDC’s are a major component in the network as the number of devices is limited and the connectivity is very much based on a best practice design.

Mock Lab Rack Details

Within our CCIE Data Center Mock Lab racks, you will have access to the following devices / software:

• Nexus 7010
• Sup1
• LAN Enterprise License
• Advanced LAN Enterprise License
• Enhanced Layer 2 License
• SAN Enterprise License
• Scalable Feature License
• MPLS License
• DCNM LAN License
• DCNM SAN License
• 32 Port 10Gb (F1 Module)
• with FCoE license
• 32 Port 10Gb (M1 Module)
• 2 Nexus 5548 with Layer 3 module
• Layer 3 License
• Enhanced Layer 2 License
• FCoE NPV License
• Storage (Native FC) License
• VM-FEX License
• 2 Nexus 2248TP
• 2 MDS9222i
• SAN Extension over IP License
• Enterprise Package License
• 2 Fibre Channel JBODs
• 2 UCS 6120XP Fabric Interconnects
• 8-port FC Expansion Module
• UCS 5108 blade chassis
• UCS 2104XP Fabric Extenders
• 4 UCS B200 M2 blade servers
• Xeon X5670 2,94Ghz 6-cores
• 48GB RAM
• 2 300GB SAS 10k harddisks
• UCS M81KR VIC mezzanine card
• 2 UCS C200 M2 rack servers
• Xeon X5670 2,93Ghz 6-cores
• 48GB RAM
• 2 450GB SAS 15k harddisks
• UCS P81E VIC card
• One of the servers will be used for hosting supporting VMs. You will not have direct access to this server
• ACE 4710
• The Nexus 7000 will be configured with VDC’s to simulate various different topologies and create multiple ‘core switch’ layers within the network
• Nexus 5548 will be used as a ‘distribution’ layer within the datacenter network. The Nexus 2k’s can be configured as FEX for the Nexus 7000, Nexus 5000 and the Fabric Interconnects of the UCS system to connect the UCS C-series rack mount servers. The VDC’s are a major component in the network as the number of devices is limited and the connectivity is very much based on a best practice design.

I would hop on these racks, and I would lab my technology for the week. I used iPexperts CCIE Data Center Volume 1 (Technology-Focused Lab Workbook) for this. (This workbook was amazing. It, in my opinion, over-prepared me for the exam, however I’m also in the process of making some updates for existing customers – which I will continue to do on a regular basis as frequently as I feel fit.) But I digress…I would lab the technology and try to gain an understanding as to what the “base-config” was for the technology. From there I would build upon that, and add the proverbial “nerd-knobs” that are so infamous in our industry. Between the videos, reading, and labbing, that was normally sufficient for me to feel really good about a technology. If, after my initial labs, I still felt a bit weary (like I did with the iSCSI gateway feature), I would go back and watch the VODs again, read, and re-lab. (I think that I labbed iSCSI about 30 times before it clicked!)

So in short, my preparation was such:

1. Choose a technology
2. Watch iPexpert CCIE DC VOD around that technology
3. Read everything I could on that technology (whitepapers, config guides, blogs, books)
4. LAB with iPexpert’s Volume 1 Workbook
5. If necessary start the cycle over again

I never moved on until I was feeling good with the technology. I found it best to break each technology down into crucial, little “manageable chunks of work”. Take iSCSI gateway for instance, there’s a lot of configuring needed there, so I had to break it down into something like this:

1. Enable feature/enable module
2. No shut iscsi interface
3. Configure initiator
4. Configure virtual-target
5. ZONE!

Each one of those sections had their little individual configs. But when I looked at it from this regard, rather than everything as a whole – it was a lot less intimidating and a whole lot easier to remember and configure.

I went into my last 2 weeks feeling pretty prepared, so I decided to go through iPexpert’s stellar Volume 2 Mock Lab Workbook, which, when I was preparing for my lab, contained 3 full-scale mock labs (now it contains 4, with the 5^th and final coming this month).  I did not have racks for these, so I did everything in notepad, and the UCS-PE (download this if you don’t have it!). It actually worked out, as doing my NX-OS and MDS configs in notepad really let me see how my mind was digesting a technology and how my brain worked through the necessary steps to get it working. Even if my syntax was not 100% accurate, I knew that I was at least going down the right path and that if I were on a real device that the context-sensitive help would have pulled me through. Now I don’t recommend this for everyone! Some may find this extremely difficult, and it may not fit your learning style. So, if you can get a full rack, definitely use that instead of notepad! Ok, back to the preparation strategy I used during before my lab attempt…To be honest, I don’t think I passed a single one of my mock labs. They were generally harder than what I felt the actual lab was. But I did get a good end-to-end assessment of what I thought the lab was going to feel like. So it put me in a good position for when I went into my lab day – which, I did pass on my first attempt!.

Had I the opportunity, I would have chosen to attend a CCIE Data Center Bootcamp in my final weeks, but my work schedule didn’t permit. Now that I’m teaching for iPexpert, and have analyzed every product in our CCIE Data Center portfolio, I can say that the best time for someone to attend a bootcamp is about 3 to 6 weeks before your lab date. As a colleague of mine mentioned, take it late enough that you can ensure that you’re not confused in the bootcamp and use it to fill any gaps in your knowledge, but not so late that you can’t correct any misconceptions that you might have had coming into it. iPexpert’s 5-Day CCIE Data Center Bootcamp is an awesome resource at the end of your studies to really get some last minute training, mentoring, tips and probably the most important of them all – dedicated racktime! Like I said, it will really help to solidify your expert-level knowledge of the technologies that you have so diligently been studying!

I hope, if nothing else, that this give you an idea of how to study for this lab exam. It’s nothing to take lightly, and the things that you will learn throughout your studies will benefit you throughout your career. The icing on the cake however, is the day you open that portal page, and see those shiny digits waiting for you!

Jason Lunde
CCIE #29431 (Data Center and R&S)
CCIE Data Center and R&S Instructor – iPexpert, Inc.

About Jason:

Jason Lunde is a dual CCIE who passed the R&S v4 lab in 2011, and the CCIE Data Center lab in December of 2013, both on his first attempt. Throughout his lab preparation, he utilized iPexpert’s CCIE lab training materials exclusively. He also holds a BS in CIS from Colorado State Univ.- Pueblo, and a MS in Infosec. Mgmt. from Colorado Technical Institute.

Jason has been in and around the networking industry since 2006, and his real-world expertise spans many corporate verticals such as oil & gas, education, banking, entertainment, and retail. His past several years have been spent doing post-sales design work, configurations, and troubleshooting for a Cisco partner in the mid-west; providing services for both SMB and enterprise-level clients. His primary focus over the past two years has been around datacenter technologies such as OTV, FabricPath, VPC, and converged networking.

Jason joined iPexpert in May 2014, and is primarily focused on CCIE Data Center product and bootcamp development and instruction.

Just a quick message to let you all know that we’ve updated our CCIE Data Center VOD, and have uploaded some new lectures (done by our CCIE DC instructor – Jason Lunde, who teaches our CCIE Data Center 5-Day Lab Preparation Bootcamp)……

As we’ve committed to our iPeverything subscribers, the new content totals approximately 16 hours. We now have a full playlist of training from 3 instructors including Rick Mur, Terry Vinson and Jason Lunde.

Be sure to connect with us socially for product news, discount codes and freebies!

iPexpert’s Social Groups and Pages:

• Facebook
• Twitter
• LinkedIn
• YouTube
• Google+
• iPexpert’s CCIE Blog

CCIE-Focused Study Groups on Facebook:

• CCIE R&S V5 
• CCIE Data Center
• CCIE Collaboration
• CCIE Wireless
• CCIE Security
• CCNA and CCNP Certifications

Here are 4 samples, enjoy!

Storage 101:

FabricPath:

VPC:

Active FEX:

Please Join us in congratulating the following iPexpert clients who have all recently passed their CCIE lab!

This Week’s CCIE Successful Stories

• Matthew Pinizzotto, CCIE #44694 (Data Center)
• Robert Lopez, CCIE #44688 (Wireless)
• Andre Aubet, CCIE #44686 (Wireless)
• Jeffrey Lingle, CCIE #44699 (Data Center)
• John Cook, CCIE #7586 (Data Center, Routing & Switching, Wireless)
• Abdul Abdullateef, CCIE #44676 (Wireless)
• Jeff Whitmore, CCIE #44727 (Wireless)

This Week’s CCIE Testimonials

“I just passed my CCIE Data Center lab, thanks in large part to the instructors at iPexpert. The biggest differentiator was the availability and eagerness to help after class ended. On multiple occasions both Terry and Jason exceeded my expectations. Thanks! – Jeffrey Lingle, CCIE #44699 (Data Center)”

We Want to Hear From You!

Have you passed your CCIE lab exam and used any of iPexpert’s or Proctor Labs’ CCIE, CCNP or CCNA self-study product, CCIE Bootcamps or any other services we provide? If so, we’d like to add you to our CCIE Hall of Fame!

Please email us at success@ipexpert.com. Be sure to include your full name, your CCIE number (or the other certifications you have passed using our training), the track, when you passed, and what products, bootcamp or services you used.

If you submit a detailed testimonial, please also include your shirt size and your mailing address!

In this blog I’d like to examine the behavior of a transparent firewall in greater detail. Before we get to this, however, it may be a good idea to recall what happens when the ASA is running in the default firewall mode – routed. In routed mode, the ASA is considered to be a router hop in the network. We have many interfaces and each of them requires an IP address from a different subnet. Routing configuration can be simplified since the firewall supports multiple dynamic routing protocols. Also most of the other features are supported on the routed ASA.

In transparent mode, things change a bit. Transparent firewall is more of a Layer 2 device that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices (ASA is “invisible” at Layers 2 and 3). ASA’s interfaces belong to a single Bridge Group (different VLANs on the switch side) but all devices (including the firewall) are part of a single L3 subnet. Certain features (like routing protocols, multicast routing) are not supported in this mode, few features were added (e.g. ARP Inspection, CAM Table protection) and almost any traffic can pass through the device (IP & EtherType access-lists).

Alright so now when have gone through a short comparison of the two firewall modes, let’s think about specifics – and what I want to focus on here are the operational differences from the routed mode. This mode is probably well-understood by most of you since it is very similar to the way routers operate – before a packet is forwarded routing table is looked up to find the longest match (for the destination IP address from the packet), then an egress interface is found (or next-hop and egress interface), packet is switched, re-enacpsulated with new L2 information (L2 source and destination) and finally serialized onto the wire.

What’s different in the Transparent mode? First of all – the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. This is because the firewall simply switches the frame based on L2 information instead of trying to route it (it looks up the frame’s destination MAC in the CAM). There are only three exceptions to this rule :

1. Traffic originated by the ASA to a non-local (remote) destination
2. Traffic that is at least one hop away from the ASA with NAT enabled
3. Voice over IP (VoIP) and DNS traffic with inspection enabled when the endpoint is at least one hop away from the ASA

In the above-mentioned cases routing table lookup is necessary for successful traffic forwarding.

OK, but let’s start with the beginning. How does the ASA populate its CAM table?  It learns and builds a MAC address table in a similar way as a normal bridge or switch – when a device sends a packet through the ASA (e.g. a data packet), the ASA adds the source MAC address to its CAM. It also associates the MAC address with the source interface.

Next is traffic forwarding. It is when the populated CAM table is used to find the outgoing interface for the frames (after firewall-enabled features were applied, like for example inspection).

Let’s quickly take a look at this using the topology below :

After all devices were powered on, the ASA learnt four MACs – two on the inside and two on the outside:

Two of these addresses belong to the directly connected switch (ports connected to the ASA), one belongs to R2 and one to R5. These addresses were learnt by the ASA from the Control Plane packets such as BPDUs and ARP. So when I ping from R2 to R5, we should see a frame destined to 001b.d50f.f2f8 and when a reply comes back we should see it with destination 001b.d4a9.e400. This way ASA knows that packet #1 should be sent via outside, packet #2 via inside (both packets are shown as seen by the ASA on the inside and outside) :

Pay attention to L2 and L3 addresses – none was changed by the ASA. Also TTL was not decremented meaning the ASA was completely invisible to the routers.

Now what would change if I were to reach a remote destination from R2? Like if I send a packet to 5.5.5.5 ? Nothing even that ASA does not have any route in the RIB :

Also notice that in both cases ARP cache on the ASA is blank – it would be only used if ASA itself wanted to send a packet :

OK so does it mean that transparent ASA operates exactly like a regular bridge/switch all the time? No, there is one difference. When there is no matching entry for the frame in the CAM (i.e. destination MAC was not found) the ASA will do the following :

1. If a packet is L3-destined to the local (ASA’s) subnet, firewall generates an ARP request (out of every enabled interface) for the destination IP address, so that it can learn the MAC and outgoing interface
2. If a packet is for a remote device (L3), the ASA generates a TTL 1 ping to the destination IP address (keeping the original, unknown L2 destination). The Echo packet is sent out every interface except the one where the original packet was received on hoping to get a TTL-Exceed message to figure out the correct port. Note that you don’t need a L3 route so that ASA can generate those Echos

To test this behavior we will have to make some changes on R2 – I am going to add a static ARP entry for a non-existing device 172.3.245.6 :

Take a look at the MAC addresses of the ASA and observe a debug (l2-indication) :

Two ARP Requests were sent, one via inside and one via outside, received by R2 and R5, respectively. In our case there is no 172.3.245.6 device so nothing replies – the original packets are dropped.

To finish, let’s look at the second case, when a L3 destination is non-local :

Note that only one Echo was generated, through the outside port. If we had more interfaces, like e.g. 3, we would see 2 Echos (it does not generate a packet for the interface where it got the original frame).

Happy Labbing! – Piotr Kaluzny CCIE #25665 (Security) / CCIE Security Instructor – iPexpert, Inc.

About Piotr: Piotr, a MSc in Computer Science, has been in the networking industry for over seven years working in several different capacities within enterprise Cisco environments. His responsibilities included, but were not limited to, implementation, design, and level three technical support. Piotr already has an extensive background as a Technical Instructor – he has been designing and developing Cisco training solutions and teaching CCIE classes for the past four years.

Currently, he’s the author / instructor for iPexpert’s CCNA VOD, CCNP VOD, CCIE Written VOD, CCIE Security Lab Prep VOD, CCIE Security Workbook Volume 1, CCIE Security Workbook Volume 2, and he teaches iPexpert’s CCIE Security 5-Day Bootcamp and  CCIE Security 10-Day Lab Preparation Bootcamps.

We’ve now completed the recording and editing process for our CCIE Collaboration Lab VoD. For iPeverything subscribers, or anyone who purchased the Voice 3.0 VOD, you now have access to the new CCIE Collaboration Lab VOD. The Table of Contents is as follows:

iPexpert’s Cisco CCIE Collaboration Lab VoD :: Next Generation Playlist (Runtime 44 hours, 10 minutes)

• Configure and Troubleshoot Cisco Collaboration Infrastructure
  • Introduction
  • CDP LLDP
  • VLANs
  • Campus Infrastructure
  • DHCP
  • DHCP
  • DHCP Part 2
  • DHCP Part 3
  • DHCP Static Mapping Part 1
  • DHCP Static Mapping Part 2
  • NTP
  • NTP
  • DNS

• Configure and Troubleshoot Cisco Unified Communications Manager (CUCM)
  • CUCM Phone Registration
  • Device Pools
  • Phone Configuration
  • Phone Customization
  • Ringlists & Directories
  • H323 Gateways
  • MGCP Gateways
  • SIP CUBE
  • Gateways
  • Fast Start
  • MGCP
  • SIP Trunk
  • CUCM Dial Plan
  • Local Route Group
  • Call Routing
  • Call Routing Part 2
  • Globalization Localization
  • CUCM Call Hunting
  • Device Mobility
  • Unified Mobility
  • Extension Mobility
  • Mobility
  • URI Dialing
  • Service Advertisement Framework and Call Control Discovery
  • CUCM Call Admission Control
  • Resource Reservation Protocol
  • RSVP
  • Media Resources
  • cBarge

• Configure and Troubleshoot Cisco IOS UC Applications and Features
  • CUCME Endpoint Registration
  • Telephony Service
  • IOS Dial Plan
  • Dial Peers
  • Busy Triggers
  • IOS Call Hunting
  • Cisco Unity Express
  • CUE
  • Survivable Remote Site Telephony
  • CUE SRST
  • cBarge SRST

• Configure and Troubleshoot QoS and Security in Cisco Collaboration Solutions
  • QoS Classification
  • QoS Marking
  • QoS Queuing
  • QoS Policing and Shaping
  • QoS Link Efficiency Mechanisms
  • QoS
  • Out Bound QoS
  • QoS Scenario
  • WAN QoS

• Configure and Troubleshoot Cisco Unity Connection
  • Voicemail Integrations
  • Unity Connection
  • Unity Connection Dial Plan
  • System Call Handler

• Configure and Troubleshoot Cisco Unified Contact Center Express (UCCX)
  • UCCX Integration and Custom Scripting

• Configure and Troubleshoot Cisco Unified IM Presence
  • IM and Presence CUCM Integration
  • Cisco Jabber
  • Presence Federation

Please Join us in congratulating the following iPexpert clients who have all recently passed their CCIE lab!

This Week’s CCIE Successful Stories

• Nitin Jain, CCIE #44757 (Wireless)
• Sinhara Prasad Silva, CCIE #44741 (Data Center)
• Justin Carney, CCIE #41664 (Voice)
• Mitchell Dennis, CCIE #38112 (Voice)
• Meraj Khalid, CCIE #41576 (Security)
• Faraz Siddique, CCIE #35265 (Service Provider)
• Javier Cuadros, CCIE # 30053 (Voice)
• Attila Rumy, CCIE #44176 (Collaboration)
• Travis K, CCIE #43674 (Security)
• Sergio Jachtchenco, CCIE #35636 (Voice)
• Hemant Sharma, CCIE #28809 (Routing & Switching)
• Tom Stampe Raavig, CCIE #42370 (Security)

This Week’s CCIE Testimonials

Justin Carney, CCIE #41664
“Thank you iPexpert for helping me achieve my CCIE Voice success! I have used nearly all of your products including the Blended Learning Solution consisting of workbooks, VoD, and rental rack time. The VoDs and workbook 1 were great at setting the foundational knowledge and the workbook 2 mock labs and rack time brought it all together to prepare for pressure of the real 8-hour lab. I also attended the full 10-day bootcamp towards the end of my journey which helped me get to the finish line by getting out of my day-to-day work/life and focusing purely on my lab with a great instructor and a room full of other motivated candidates.”

Mitchell Dennis, CCIE #41576
The bootcamp and lab workbook were excellent! It would not have been possible for me to pass the CCIE lab without attending the bootcamp and using the 5-lab workbook for practice.

Hemant Sharma, CCIE #28809
“I first used iPexpert study material, when I was preparing for CCNP, it enabled me to take my effort to next few levels and raised the bar so high that only CCIE was the limit.”

Travis K, CCIE #43674
” I passed my CCIE Security recently. Thanks to iPexpert
I used iPexpert videos for my CCIE lab exam, the videos helped me a lot in understanding the concepts like ISE profiling and dot1x.
And I liked the way Piotr Kaluzny explains the concept..its easy to understand..thanks to him..
I would like to thank iPexpert for providing excellent training material and to the trainer Piotr Kaluzny and all the support team.”

Attila Rumy, CCIE #44176
“I’ve used iPexpert‘s Blended Learning Solution to prepare for the CCIE Collaboration exam which I’ve passed on the 24th of June and earned CCIE #44176 number.
The most useful were the mock lab workbooks and the solutions for them along with the Video on Demand.”

We Want to Hear From You!

Have you passed your CCIE lab exam and used any of iPexpert’s or Proctor Labs’ CCIE, CCNP or CCNA self-study product, CCIE Bootcamps or any other services we provide? If so, we’d like to add you to our CCIE Hall of Fame!

When it comes to the Cisco Unified Border Element (CUBE), things can get complicated quickly.  We all know that CUBE is just an IOS routing device, with simple dial-peers configured in order to route calls from one destination to another.

However, there’s more to it than that, especially when it comes to video calls.  That’s where I would like to set our focus for this blog.  What are some of the ways to make a video call across CUBE?  Or as some students might put it, how are we supposed to make a video call with CUBE in the way :-)?

First off, let’s examine a sample topology.  In the below, we have three sites; HQ, SC, and BB, each with 9971 video phones.  Both the HQ and BB sites are using CUCM as the call agent (CA) while SC is using the CUCME as the CA.  Of course, we are going to try and examine what happens when we try to make a video call across the CUBE in this topology.

In order to connect to CUBE in the first place (from CUCM), we’ll need to configure SIP trunks, since after all, it is SIP that we’re using to make the connection.  Given that the BB CUCM cluster already has its configuration in place, we should do this on the HQ CUCM cluster.  The below screenshots detail the configuration.

We should remember to add our newly created SIP trunk to a Route Group and a Route List so any eventual Route Patterns that we create in the system can use the SIP Trunk. After this is complete, we can create route patterns pointing toward the DNs at both SC (43002) and BB (689220420).

At this point, we are able to start our CUBE (R1) configuration. First of all, you may have noticed that in the above, the destination is pointing towards the IP address 10.10.1.1. This corresponds to the Loopback 0 address of R1, which we must configure to terminate SIP signaling. This can be configured globally under voice service voip, or at a dial-peer level. In this case, we will add it to the global SIP configuration on the CUBE.

The above configuration first addresses the Toll Fraud Prevention feature, which blocks communication with unknown devices that attempt to communicate with the router.  Our best course of action here is to turn it off by issuing the command no ip address trusted authenticate.  This opens up the router for any device to successfully connect, which is what we want for the CCIE Collaboration Lab (unless explicitly stated otherwise), even though this isn’t the greatest idea in the real world.  You should do this for every IOS device that routes calls.  For more on that feature, check out THIS LINK.

Next, we need to enable the router to act as a CUBE by issuing the command mode border-element.  This will allow the use of the different “media” commands available when configuring CUBE.  Of course, once this command is entered, we will need to reload the router for it to take effect.  The allow-connections commands configure the router to accept connections using the different protocols outlined above.  This is another set of commands that we can basically copy and paste to every IOS device in the network that is performing call routing.  Next, we are at the point where we can bind the Loopback 0 address to the global SIP process on the router.  As you can see, this is done for both control and media traffic.

Next, we can start to configure the dial-peers to support calling between systems.  Of course we need both inbound and outbound dial-peers for each connection.  In the below configuration, we have two dial peers for HQ (for PUB/SUB redundancy) that will be selected as both inbound and outbound dial peers for calls destined toward HQ.  We also have dial-peers for the SC CUCME and the BB CUCM cluster.  On each dial-peer, we have configured the codec to “transparent”, so the audio codec can be negotiated between each endpoint.  This means that whatever codec is offered from one end of the call is forwarded exactly as received to the other endpoint.

With this configuration in place, we are now ready to try a video call.  Before we do that however, let’s run a quick refresher on SIP signaling.  In a typical SIP call, you might see something like the following diagram.  In this example, User A calls User B via SIP.

The above is an example of a “delayed offer” SIP call, where the SDP is negotiated after the initial signaling has taken place.  In an “early offer” SIP call, we would see the SDP parameters in the original INVITE message.

Now, let’s place a call from HQ Phone 1 (21001) to the BB PSTN Phone (689220420).  We can see that the audio goes through successfully, but video is only being received on the HQ Phone 1 screen.  The BB Phone shows a blank screen instead of video.  This means that the BB phone is not receiving any video from HQ, but the HQ Phone is receiving the video stream from BB.  To troubleshoot, let’s run a debug ccsip messages on the CUBE router.

We can see from the initial SIP INVITE sent from CUBE to BB that this is a “delayed offer” type of call, since the SIP message does not contain an SDP.

Since this is the case, we should expect to receive an SDP in the “200 OK” message from the BB CUCM server when the phone answers the call.  We can see that this is indeed the case.

There are a couple of things that we can glean from this output right off the bat.  First of all, we know that the BB Phone would like to start a video session, as seen in the “m=video” line in the debug output.  This defines the UDP port that should be used for the connection along with the codec and payload types that are supported.  The next thing we should notice is the definition of those payload types.  Remember, H.264 uses a dynamic payload type, which could be anything between 96 and 127.  See THIS LINK for more detail.  In this case, we see that the BB CUCM cluster has offered to use either payload type 126 or 97.  Next, we should expect to see the CUBE pass this “all-important” SDP message to the HQ CUCM cluster.

In this case, we see the SDP message being sent to the HQ CUCM, but we notice that the RTP payload type has changed.  CUBE is now actually trying to negotiate an RTP payload type of 119 with the HQ CUCM cluster, even though it received possible payload types of 126 and 97 from the BB CUCM cluster.  What CUBE has offered to the HQ CUCM cluster is still within the realm of possibility, since 119 is a possible dynamic payload type.  However, why didn’t CUBE just pass along the video codecs that were offered by the BB CUCM cluster?  We will look at that in a bit.

The next message that we see on CUBE is the ACK from the HQ CUCM in response to the “200 OK” message sent from CUBE.  In the message, we see that HQ actually offers to communicate using RTP payload type 97.  This is because 97 and 126 are the values used by 9971 phones when communicating using the H.264 codec.  The phone won’t use the offered RTP payload type of 119 for video reception because it is not programmed to do so.

At this point, CUBE is simply going to forward the ACK message along to the BB CUCM cluster.  The BB CUCM cluster will, of course, accept this information and begin to communicate using the information it received from CUBE.

Let’s review what just happened.  The call leg between HQ and CUBE has negotiated two different payload types.  Since HQ received an offer from CUBE to use RTP payload type 119, HQ will use that type send video.  However, since HQ sent RTP payload type 97 to CUBE in the ACK message, it will be using that payload type to receive video.  From the perspective of the BB phone, this negotiation resulted in using RTP payload type 97 for both sending and receiving video.  Based on these facts, we can see that the BB phone does not receive video because HQ is sending using RTP payload type 119, while BB is expecting to receive video using RTP payload type 97.  The HQ phone is receiving video using RTP payload type 97, which is what the BB phone is using to send video.

So how do we fix this problem?  Well, there are actually a few ways that we can pull it off.  First, we have to realize that we were originally trying to negotiate the video call directly with the CUBE.  This is just one of our architectural options when configuring this call flow.  We can either negotiate the codec between call legs (HQ to CUBE and CUBE to BB), or we can allow the CUBE to act as a “middle man” and pass the SDP information through to each endpoint.  Essentially, the latter option means that we are negotiating directly between endpoints (similar to the codec transparent command under the dial-peer for audio codecs).  Let’s take a look at the first option—attempting to negotiate the video call with the CUBE from each endpoint.

We will need to somehow change the way that the CUBE offers the RTP payload type.  We saw in the previous example that it offered RTP payload type 119 without success.  If we are somehow able to change that, we might be in business.  So how can we make the change?  If you think about how IOS routes calls, you might think that the first place you should look is the dial-peer—and you would be right!  If you run the command show dial-peer voice 689, you see a gigantic output with a lot of information about that specific dial-peer.  Scroll to about the middle of that output and you will see a section labeled “RTP dynamic payload type values”.  This is going to contain our answer.  From the below output, you see that the H.264 codec is programmed to use the RTP payload type of 119 as defined in the dial-peer.

With this information, we now know that we should be able to change the payload type from 119 to 97 and everything should work.  Not so fast—notice from the above command that RTP payload type 97 is already in use by something called “fax-ack”.  So before we change the H.264 payload type to 97, we must modify the “fax-ack” payload type to another value.  The Cisco documentation suggests that we use 111, but you can use whatever is not in use at the moment.  See THIS LINK for more information,

Now let’s configure the dial-peer to use the correct payload type using the following commands.

Once the commands are successfully entered, we can run another debug ccsip messages to see what happened.  Let’s check out the “200 OK” message that is being sent from CUBE toward the HQ CUCM cluster.  That is originally where the H.264 codec was offered using RTP payload type 119.  The output below shows that the CUBE is now offering payload type 97.

We have now successfully negotiated the codec between call legs (HQ to CUBE and CUBE to BB).  There is still one more way to accomplish the same thing.  If we remove the RTP payload commands from dial-peer 689 and instead use the command asymmetric payload full under the global SIP process on the CUBE, this will allow the SDP negotiation to take place as well.   This allows CUBE to accept and send different payload types.  Of course, when entered on a global level, this applies to every dial-peer on the system.  You do, however, have the option to apply this on a specific dial-peer, if desired.

When making the test call, upon examining the “200 OK” message being sent by the CUBE toward the HQ CUCM cluster, we see that both payload types are now offered, even though the RTP payload type on the dial-peer is set to use 119.  This, of course, results in a successful video call.

The last method we can use to successfully configure video calling through the CUBE is to simply let the endpoints negotiate the video codec without CUBE interfering at all.  We can basically configure CUBE to forward whatever SDP messages it receives to the destination endpoint.  Once again, we have the ability to perform this configuration on both a global and dial-peer level in the CUBE.  The global command is called pass-thru content sdp and it is applied under the global SIP configuration under voice service voip.  See the below snippet for the syntax.

When making the test call, upon examining the “200 OK” message being sent by the CUBE toward the HQ CUCM cluster, we see that both payload types are now offered, even though the RTP payload type on the dial-peer is set to use 119.

At this point, we basically see the same thing that happened when using the command asymmetric payload full.  The CUBE offers both 126 and 97 as possible RTP payload types for the HQ CUCM to use when communicating with the BB Phone.

Just to summarize our findings here, we now know that there are three different ways to configure video calling across the CUBE.  The first method involves negotiating the video codec directly on the dial-peer using the rtp payload-type commands.  The second method also uses dial-peer negotiation, but accomplishes it using the asymmetric payload full command under the global SIP process on the CUBE.  The third method basically takes the CUBE out of the equation altogether since it simply passes the SDP information from the sender to the receiver and vice versa.  This can be accomplished using the pass-thru content sdp command.

A call across the CUBE will also work the same way when using CUCME as one of the endpoints.  The only difference is that since CUCME is an IOS-based device, we’ll need to make a decision on what to do with the RTP payload type, in much the same way as it is done with CUBE.  Once again, we can choose the method that we want to use and determine if that will resolve the issue of the dreaded blank video screen.

First, let’s actually set up our dial-peers on CUCME (R3) to communicate with HQ Phone 1 (21001) as well as accept inbound calls.

As you can see in the above, we are using the voice-class codec command as well as the dtmf-relay command.  The latter refers to the method being used to exchange “user key presses”, or DTMF digits.  In this case, we see that we have a wide range of options to choose from; RTP-NTE (RFC 2833, In-Band), SIP-NOTIFY (Out-of-Band), and SIP-KPML (Out-of-Band).  By using this command, we are basically using all options available to us in order to negotiate with the far end.   The voice-class codec command refers to a preference list already configured in the router to select the codec for the audio path.  In the below case, we prefer to use G.711 if supported by the remote end.  Otherwise, we can fall back to G.729.

We also have to configure the global voice settings on the router in a similar fashion to that of CUBE.

As you can see, we have copied the “toll fraud” and “allow connections” commands from CUBE.  Also, we have bound the Vlan31 interface to the global SIP process for both control and media traffic.  In this configuration, we can place our first test call and use the debug ccsip messages command on R3.  Once again, we can see that in the “200 OK” message sent from R3 towards CUBE, we have the same problem; the RTP payload type being offered is 119.

Once again, since this is an IOS device, we can overcome this in one of three ways; change the payload type manually, allow asymmetric payloads, or allow the SDP header to pass through.  The only difference here is that the pass-thru content sdp command tends to cause issues with SCCP phone signaling on CUCME, so it is recommended to use one of the other two methods available.  The below debug verifies that either the asymmetric payload full or the rtp payload-type commands will fix the issue by sending an RTP payload type of 97.

I hope this has been helpful to all that are studying for the CCIE Collaboration lab exam.  Please keep your eye out for many updates to come for both our workbooks and videos.  Also, if you’re ever feeling like you need an extra push to get ready for the lab, are hitting roadblocks in your preparation, or just need some direction on how tackle the CCIE Collaboration Lab, give us a call and speak with an iPexpert Training Adviser about attending one of my bootcamps.  My goal is to get you ready to pass this exam as quickly as possible!

Thanks again for reading and good luck in your preparation!

Andy Vassar
CCIE #22042 (Collaboration, Voice, R&S)
CCIE Collaboration Instructor – iPexpert, Inc.

About Andy:

Andy Vassar is a triple CCIE who passed the CCIE Routing & Switching lab in September 2008 and the CCIE Voice lab in September 2010. He then passed the CCIE Collaboration in May 2014. Andy also holds a Bachelors Degree in Network Engineering Technology from Purdue University in West Lafayette, Indiana.

Andy has been a part of the networking industry for over ten years, and has recently been focused on corporate voice & video (collaboration) network design, support, and implementation. While working for Cisco as a senior network engineer in Chicago, Andy had the opportunity to work with several highly-visible, large-scale clients where he designed, optimized, and trained various staff departments and employees on how to support their enterprise voice and video networks.

With nearly a decade of hands-on experience with Cisco technologies, as well as Cisco’s Collaboration hardware and application portfolio, Andy is leading iPexpert’s Next Generation CCIE Collaboration training and product development initiatives, and will be delivering live CCIE Collaboration Bootcamps in our newest office, right outside of Chicago.

We’re excited to now provide you with a large number of custom bundles which have been designed to fit the phase of preparation you’re in, accommodate your learning style, but most importantly they won’t break your bank!

When you purchase one of our bundles, you’ll be given access to all of the materials in a “downloadable” format that’s heavily discounted so you can begin your CCIE preparation today!

Don’t worry about time restrictions, you’ll always have access to your material. Your videos are downloadable in MP4 format, your CCIE workbooks will be an unencrypted PDF, and your rack sessions will be added to your account in the form of vouchers.

You’ll also have the ability to view your videos via our streaming solution, and utilize our online workbook interface and technical support community when you’re logged into your Member’s Area.

For more information about these new bundles, please visit our Training Bundles Portfolio Page, select the bundle that fits your needs and then select the certification track you’re interested in.

Our Training Advisors are always on standby ready to assist you! Please feel free to either call, email or chat with a live Training Advisor – whatever method is more convenient for you. If it’s outside of our regular working hours (8 AM EST to 6 PM EST), we’ll get back to you the next business morning.

• Telephone: +1.810.326.1444
• Email: sales@ipexpert.com
• Live Chat

I’m excited to announce the release of another portion of our CCNP Data Center VOD – The DCUFI Module. Also, next week, we will be releasing DCUFD Course. I’m hoping to have this entire series wrapped up in the next 3 weeks. As always, if you’re a subscriber to iPeverything or iPvideo Pass, the videos are already in your account.

Here’s a snapshot of the DCUFI Playlist:

• Introduction
• DCUFI DC Architecture
• DCUFI Hardware
• DCUFI NX-OS Software
• NX-OS User & AAA Intro
• NX-OS SSH
• NX-OS EEM
• NX-OS Time Protocols
• NX-OS NetFlow
• NX-OS Callhome
• NX-OS SPAN
• NX-OS SNMP
• ISSU’s
• Layer 2 in NX-OS
• Spanning-tree in NX-OS
• Virtual Device Contexts
• FEX Topologies
• Straight-Thru FEX’s
• Dual Homed FEX’s
• Config Sync
• Private VLAN’s
• Adapter FEX w/ NX-OS
• Port-channeling in NX-OS
• VPC Theory
• VPC Demo
• Enhanced VPC
• FabricPath Theory
• FabricPath Demo
• VPC+ Demo
• Layer 3 in NX-OS
• FHRP’s in NX-OS
• BFD – Bidirectional Forwarding Detection
• OTV Theory
• OTV Demo
• Multicasting in NX-OS
• Quality of Service
• MPLS in NX-OS
• LISP in NX-OS
• NX-OS Security
• Storage Fundamentals
• Storage Networking Demo
• Storage – Zoning Concepts
• N-Port Virtualization
• Cisco Fabric Services
• FCoE Theory
• FCoE Setup – Basic
• FCoE over eVPC
• N7K Storage VDC

I’m also including a “sneak peek” at a few of my new videos.

Happy Studying! – Jason

DCUFI :: Dual Homed FEX

DCUFI :: Config Sync

DCUFI :: Storage Zoning Concepts

Please Join us in congratulating the following iPexpert clients who have all passed their CCIE lab!

This Week’s CCIE Successful Stories

• Eric Hulderson, CCIE #44870 (Wireless)
• Quisher Khan, CCIE #35509 (Routing and Switching, Wireless)
• Robert Lopez, CCIE #44688 (Wireless)
• Greg Chisholm, CCIE #29271 (Routing and Switching)
• Aruna Malalsena, CCIE#21131 (Routing and Switching, Security)
• Joseph Ploehn, CCIE #17658 (Data Center, Storage)
• Robert Lopez, CCIE #44688 (Wireless)
• Natraj Babaria, CCIE #27968 (Routing and Switching)
• Narayan Dev Sarma, CCIE#25509 (Voice)
• Jose Hernandez Asensio, CCIE #15276 (Routing and Switching)
• Kaue Colaneri, CCIE #43577 (Wireless)

This Week’s CCIE Testimonials

Robert Lopez, CCIE #44688 Wrote:
“The wireless training resources at iPexpert brought all the pieces together as I prepared for the CCIE Wireless lab. Having the class resources available via the online portal proved to be very valuable in the review process and in honing my skills across all of the wireless related technologies. Also knowing that Jeff Rensink was an email or text away, was simply icing on the cake. Hats off to the entire iPexpert team…nicely done!”

Greg Chisholm, CCIE #29271 Wrote:
“I greatly accelerated in preparing for the Routing & Switching lab exam by using the Lab Workbooks. Every run-through of the lab scenarios increased my knowledge in several areas and prepared me to handle the network topologies found in the exam. Working on complete lab scenarios is a key component in the CCIE learning process.”

Aruna Malalsena, CCIE#21131 Wrote
“iPexpert materials helped me to pass my CCIEs (R&S and Security) in first attempts.
There where months of driving without music for my family J, I was listening to the audio CDs while driving, it helped a lot to understand the challenging topics. Preparing for the DC these days and iPexpert been a trusted partner for me through out !!!
Thanks for the updated valuable materials.”

Joseph Ploehn, CCIE #17658 Wrote:
“I took your iPexpert Data Center boot camp in July 2013 and it provided me great information, having access to pods and equipment really pushed me over the top.”

Natraj Babaria CCIE #27968 Wrote:
“Your excellent CCIE materials helped me tremendously throughout my Routing and Switching journey. Without these materials, this would not have been possible. I can say that iPexpert provides absolutely great and the best materials for any CCIE track.”

Jose Hernandez Asensio, CCIE #15276
“I used the CCIE RS Workbook and it was a definitive help to master all the topics within blueprint and to face the exam with the needed confidence. I could pass in my first attempt without problems. Thanks IPexpert for the perfect materials.”

We Want to Hear From You!

Have you passed your CCIE lab exam and used any of iPexpert’s or Proctor Labs self-study products or attended a CCIE Bootcamp? If so, we’d like to add you to our CCIE Wall of Fame!

A few days ago we announced our new CCIE Collaboration Lab VOD. Well, I’ve decided to post a few samples. Enjoy! – Andy

Presence Federation

SIP CUBE

We’ve released the following 4-hour courses for our 1-year and 2-year iPeverything subscribers.

To register and confirm your seat, simply go into our Member’s Area Calendar – and select the course you’d like to attend – and “click the “register” button.

Wednesday: Oct 1st
Title: CCIE R&S V5 VPN Technologies / DMVPN
Course Time: 1:00 PM EST to 5 PM EST

• GRE
• NHRP
• DMVPN (Single Hub)
• Phase 1
• with EIGRP
• with OSPF
• Phase 2
• with EIGRP
• with OSPF
• Phase 3
• with EIGRP
• with OSPF
• DMVPN with Encryption
• Troubleshooting DMVPN Topologies

Thursday: Oct 2nd
CCIE R&S V5 Quality of Service
Course Time: 1:00 PM EST to 5 PM EST

• End-to-End QoS
• CoS and DSCP Mappings
• MQC/HQF
• Classification
• Marking
• Policing
• Shaping
• Queuing
• HQoS, sub-rate Ethernet
• Congestion Avoidance
• Link Efficiency Mechanism
• Troubleshooting QOS Mechanisms

Friday: Oct 3rd
CCIE R&S V5 Routing Specific Technologies
Course Time: 1:00 PM EST to 5 PM EST

• OSPF BFD
• OSPFv2 SHA1
• OSPFv3 IPsec Authentication
• OSPF GTSM
• OSPF IP FRR/Fast Reroute (Single Hop)
• OSPF LFA (multihop)
• BGP Dynamic Neighbor
• BGP 4 Byte AS Numbers
• BGP IPv6

Tuesday: Oct 7th
CCIE R&S V5 Security
Course Time: 1:00 PM EST to 5 PM EST

• Security
• PACL
• FHS
• RA GUARD
• DHCP Guard
• ND Inspection/Snooping
• Source Guard
• Services
• NTP
• IPv6 DHCP
• SLAAC/DHCP Interaction
• NAT ALG

For the entire year of 2014, we will be giving away 60 free Online-HD-ILT Bootcamp seats, and CCIE Lab Self-Study Training Bundles spanning across every CCIE track we teach (R&S, Collaboration, Data Center, Wireless and Security).

As a Recap, Here’s What We’re Giving Away:

• 1 Online-HD-ILT seat given away for each track every month (5 Bootcamp winners announced monthly)
• 1 CCIE Lab VOD and Workbook(s) Bundle given away for each track every month (5 self-study winners announced monthly)

How to Enter:

• Must follow @iPexpert on Twitter before entering.
• To win an Online-HD-ILT Bootcamp seat, you must Tweet: “I want to win a free Online-HD-ILT seat from @iPexpert for the CCIE <XXXXXXX> track, where <XXXXXXX> is the name of the track you are preparing for. *Note, followers attempting to win for multiple tracks will not be considered.
• To win a CCIE Lab VOD and Workbook Bundle, you must Tweet: “I want to win a free CCIE Lab VOD and Workbook(s) Bundle from @iPexpert for the CCIE <XXXXXXX> track, where <XXXXXXX> is the name of the track you are preparing for.
• Must include @iPexpert in tweet.
• Multiple entries are encouraged, however – we’d like to ask for a max of 5 mentions per day. For every follower you have who follows @iPexpert and retweets, that also counts as another entry.
• Winners will be selected via a random drawing method, with each tweet / retweet accounting for an additional entry – which will increase your odds of winning.

General:

• Winners will be posted on our blog the first of every month. In the case of the 1st being on a holiday or weekend, the winners will be posted the following business day or following Monday.
• You must claim your prize within 30 days by emailing your twitter account name, full legal name, address, and contact details to sales@ipexpert.com.
• Prizes must be used within 18 months.
• Prizes cannot be transferred to another person or sold.

The September 2014 winners of a free 5-Day Online-HD-ILT Bootcamp seat:

• R&S: @trevorc1653
• Collaboration: @SmolzPhoto
• Data Center: @SebaPast
• Wireless: @rscciew
• Security: @salemmya

The September 2014 winners of a free Lab VOD and Workbook(s) Bundle:

• R&S: @yudipbr
• Collaboration: @davemowery
• Data Center: @franzeunice
• Wireless: @irenu87
• Security: @lagossa

Congratulations to our winners!