Our new CCIE 2.0 model of agile and responsive development, adaptive and personalized learning, and intimate community interaction and involvement is what we believe will help us further our goals.  As stated in the announcement our commitment is to our customers and not the bottom line.

We feel that this new model will let us respond to changes within days, not months, or years; that it will enable us to further engage our customers with unique and tailored learning solutions.  Furthermore, it will empower our customers by giving them more control over, flexibility of, and opportunity for CCIE advancement.

The announcement we made yesterday seems to have generated a lot of interest in the CCIE community.  The response has been overwhelmingly positive, but a very limited few have unfortunately assumed that this announcement was done to participate in some sort of “vendor war”.  We don’t want to be involved in or appear to be involved in any sort of “vendor war”.  Our sole focus is on our customer and their success.  That’s my core belief, our instructors’ core focus, and IE’s guiding principle.  To further follow that principle, I’ve removed any posts or blog comments that could be somehow perceived as feeding into a “vendor war”.

Lastly I would like to say that your goals are our goals, that we can only achieve these goals together, and only if we are continually striving for improvement.

I. Module 1: The Operation of Data Networks

A. Cisco Network Devices

B. The OSI Model

C. The TCP/IP Model

D. Voice Over IP and Video Over IP

E. Network Diagrams

F. Network Paths

G. Common Network Problems

H. LAN versus WAN Features

II. Module 2: Implementing a Small Switched Network

A. Physical Media

B. Ethernet

C. Network Segmentation

D. Basic Switching Concepts

E. Initial Switch Configuration

F. Switch Verifications

G. Basic Switch Security

H. Common Switch Issues

III. Module 3: IP Addressing and IP Services for a Small Network

A. The Role of Addressing

B. Private versus Public Addressing

C. DHCP

D. Create and Apply an Addressing Scheme

E. NAT

F. DNS

G. Common Addressing Issues

IV. Module 4: Implementing a Small Routed Network

A. Basic Routing Concepts

B. Operation of Cisco Routers

C. Initial Switch Configuration

D. Physical Media

E. RIPv2

F. Router Management

G. Router Security

H. Router Verifications

V. Module 5: WLAN

A. Standards

B. Wireless Components

C. Wireless Configuration

D. Wireless Security

E. Common Wireless Issues

VI. Module 6: Network Security

A. Security Threats

B. The Security Policy

C. Attack Mitigation Techniques

D. Common Security Appliances and Applications

E. Best Practices

VII. Module 7: WANs

A. Connecting a WAN

B. Configure a Serial Connection

C. Verify a Serial Connection

Exam Details

Exam Number: 640-822
Exam Name: ICND1
Number of Questions: 40
Total Time: 90 Minutes
Passing Score: 804
Exam Sections:
Describe the operation of data networks
Implement a small switched network
Implement an IP addressing scheme and IP services for a small network
Implement a small routed network
Explain and select the appropriate administrative tasks required for a WLAN
Identify security threats to a network and describe general methods to mitigation
Implement and verify WAN links

640-822 is one of the best Cisco (written) exams I have EVER seen. It does an excellent job of testing real world skills that an entry-level technician would need to succeed supporting small routed and switched networks.

The emphasis of the exam is on basic configuration and troubleshooting of Cisco devices. While there are a smattering of definitional type theory questions, the major focus is “hands-on”, scenario based questions.

You should be ready to solve Simulations, scenario and exhibit-based multiple-choice questions, drag and drop, and standard multiple-choice queries. Be very careful about how much time you dedicate to any one question, since you might really burn the clock on a single given exercise. Time management is a key to success in this exam.

This exam does a superb job at reflecting the published exam blueprint, and as such, you can expect our course materials for CCENT to explain fully all questions.

You will feel very proud when you complete the CCENT certification with a passing score on this exam, as you will very clearly be ready to support the basic Cisco network!

Enjoy your studies!

In this post we will quickly discuss the use of most commonly needed IGMP timers. First, as we know, multicast routers periodically query hosts on a segment. If there are two or more routers sharing the same segment, the one with the lowest IP address is the IGMP querier (per IGMPv2 election procedure – as you remember, IGMPv1 let the multicast routing protocol define the querier).

Read the rest of this entry »

Thank you everybody for the tremendous response to our announcement vSeminar. For those of you that weren’t able to attend due to capacity or other issues, the recording for CCIE 2.0 - The Next Evolution can be found here.

Much more detail will be posted over the coming days, but in a nutshell this is what’s changing at IE:

First and foremost, Internetwork Expert is not joining the Cisco 360 Program. Instead, we have devised a new framework - CCIE 2.0 - for the next evolution in the training industry.

CCIE 2.0 consists of the following:

• dynamic customized self-paced content
• adaptive written & hands-on assessments (Poly-Labs)
• continuing interaction with instructors, authors, customer success managers, and support staff
• community involvement

Next, starting Q1 2009 we will be offering ILT, online classes, class-on-demand, and lab workbooks for the Associate & Professional level tracks. We’ll be starting at CCENT, progressing to CCNA, and CCNP/CCVP/CCSP.

Stay tuned for more detail on the program, along with our new vSeminar and Online Classroom schedule.

Happy Labbing!

In this post we will look at the basic classification and marking features available in the 3550 and 3560 switches. Basic features include packet marking using port-level settings and port-level policy-maps. Discussing Per-VLAN classification is outside the scope of this document.

The Catalyst QoS implementation bases on Differentiated Services model. In a few words, the ideas of this model could be outlined as follows:

1) Edge nodes classify ingress packets based on local policy and QoS label found in packets.
2) Edge nodes encode traffic classes using a special field (label) in packets to inform other nodes of the classification decision.
3) Core and edge nodes allocate resources and provide services based on the packet class.

Note that each node acts independently on its own, as instructed by the local policy. In order for the QoS policy to be consistent end-to-end, the network administrator must ensure that all nodes use the same classification and resource allocation policy.

The following are the marking types found in IP/Ethernet networks:

1) ToS byte in IP packet or Traffic Class byte in IPv6 packet. The switch may interpret this field in two different ways:
1.1) Interpret the topmost six bits of the byte as DSCP code point. This is in full compliance with Diff-Serv model.
1.2) Interpret the topmost three bits of the byte as IP Precedence value. This complies with the old, “military-style” QoS model, where higher precedence traffic preempts the lower precedences. Note that IP Precedence numbers form a “subspace” of DSCP numbers.
2) The CoS bits (three bits) in 802.1q/ISL header of a tagged Ethernet frame. These bits are also known as 802.1p priority bits, and should be interpreted as relative traffic priorities.

As we can see, the marking types could be either Layer 3 (IP/IPv6 fields) or Layer 2 (802.1p bits). Naturally, the latter option is only applicable on trunk links.

The Catalyst switches have no special intelligence to implement any of these QoS models by themselves. It’s up to you to define policy and encode classes using any marking you find more suitable for your task. Due to numerous markings types, Catalyst switches assign a special internal QoS label to all packets and use this label for internal QoS processing. In the 3550 this label is simply a special “internal” DSCP value. However, in the 3560 the QoS label format is more complicated, and allows storing either CoS or DSCP information.

Now recall the distinction made by the multilayer switches between IP and non-IP packets. As we know, Layer 3 switches are hardware optimized to route IP or IPv6 packets using their ASICs for optimum performance. This results in differences of handling the IP and non-IP packets. You may use MAC-based ACLs (matching MAC addresses, Ether-types or LSAPs) only with non-IP packets (e.g. ARP, DECNet, IPX). The MAC ACLs will not match any of IP packets, even if you specify a matching MAC addresses. Also, note that the 3560 models treats IPv6 as “IP” traffic, while the 3550 treats IPv6 packets as “non-IP” and matches them with MAC ACLs.

QoS processing pipeline

The following diagram displays stages of QoS processing in a typical Catalyst switch.

We are now considering the Classification and Marking stage. The switch uses local policy configuration to classify input packets. The local policy may be as simple as port QoS settings or more complicated, such as policy-maps with QoS ACLs. The result of classification stage is the internal QoS label (e.g. internal DSCP value with the 3550). At this stage, the switch uses special globally configurable QoS mapping tables. The tables map one QoS marking “type” to another, e.g. CoS values to DSCP, or DSCP to CoS. You can display the tables using the command show mls qos map.

The switch uses these tables for two major purposes:

a) To “synchronize” different types of QoS markings present in a packet. For example, if you instruct the switch to set CoS field to “3”, the switch will look up through the CoS-to-DSCP mapping table and rewrite the DSCP value in the IP packet header accordingly.

b) To translate the ingress marking (e.g. CoS, or IP Precedence) into the values used in the QoS label. For example with the 3550 switch, the CoS to DSCP mapping table is used when you trust ingress CoS marking to find the resulting internal DSCP value.

You may classify using either interface level settings or by applying a pre-configured policy-map to the interface. These two options are mutually exclusive: that is, if you configure interface level classification settings and later apply a service-policy, then the latter removes interface-level QoS classification settings (there are some exceptions though).

Classification Options

1) Trust one of the marking types already present in packet (mls qos trust {dscp|ip-precedence|cos}). For IP packets, it is possible to trust either IP Precedence or DSCP value. Of course, doing so makes sense only for IP packets. If the switch trust IP marking and incoming packet is non-IP, the switch will attempt to classify based on CoS value in the Ethernet header. If there is a CoS value in the packet (i.e. the port is trunk) the switch uses this value to build the QoS label. However, if the packets bears no CoS field, the switch will look at the default CoS value configured on the interface (mls qos cos x). The switch computes corresponding DSCP value for the label using the CoS to DSCP table. When you trust IP precedence, the switch builds DSCP value using the IP-Precedence to DSCP mapping table and the CoS value using the DSCP to CoS mapping table.

2) Trusting CoS (mls qos trust cos) is a bit different. First, it works for both IP and non-IP packets, since they both may bear CoS bits in the Ethernet header. Thus, when the switch trusts CoS on interface, it attempts to build the QoS label based on the CoS bits. If there is no 802.1q/ISL header, the default CoS value from the interface settings is used instead (not the IP/DSCP value from the packet header!). This procedure works for both IP and non-IP packets: the switch does not take in account the IP Precedence/DSCP values. The corresponding mapping table allows the switch to compute the internal DSCP value/QoS lable and rewrite the DSCP values in the IP/IPv6 packet header.

3) You may explicitly assign a specific CoS value to all packets, either marked or not, entering the interface using the mls qos cos override command. This command will force the use of CoS value specified by the mls qos cos x command for all IP and non-IP packets. Note that this feature only works with CoS values, and the switch deduces actual DSCP marking using the CoS to DSCP mapping table. Also, note that any “trust” configuration on an interface conflicts with the “override” settings and thus the switch removes the former commands.

4) The most flexible option is to use QoS ACLs to perform classification and we are going to discuss the use of QoS ACLs in a separate topic below.

A special type of trust is conditional trust. That means trusting QoS marking only if the switch detects certain device connected to the port - for example, if the switch senses Cisco IP Phone CDP announces. The command for conditional trust is mls qos trust device and it instructs the switch to trust the packet marking only if the certain device reports itself via CDP.

The automatic rewrite feature ensures the uniform marking - that is, it takes care of synchronizing L2 and L3 code points. Is it possible to trust DSCP and built the internal QoS label based on its value, but retain the CoS bits in the packet? Alternatively – trust CoS bits and retain the DSCP values? You may need this capability occasionally, if you want to “tunnel” one type of QoS marking through your network, while using the other type for your needs.

QoS Pass-Through feature

In the Catalyst 3550, you may set one type of marking as “pass-through”. For example, when you trust CoS you may enable DSCP pass-through with the interface-level command mls qos trust cos pass-through dscp. The command with reverse logic is naturally mls qos trust dscp pass-through cos.

On the 3560 switches, you only have option to disable DSCP rewrite in IP headers, when you trust the CoS values, using the global command no mls qos rewrite ip dscp

Classification using QoS ACLs

Even though they are called QoS ACLs (the term borrowed from CatOS) you actually apply these using MQC syntax by configuring class-maps and policy-maps. You may define MQC traffic classes by matching one of the following:

1) MAC or IP/IPv6 access-list. The MAC access-list matches non-IP packets and IP/IPv6 matches IP or IPv6 packets respectively. Of course, you can only match IPv6 packets on the 3560. As mentioned above, you cannot use MAC ACLs to match IP traffic (though you can use MAC ACLs on the 3550 to match IPv6 traffic).

2) DSCP and IP Precedence values. Note that you cannot match CoS value in Ethernet headers (like you can do in routers).

3) Additional platform-specific matches like match input-interface and match vlan. These are used by the 3560 hierarchical policy maps or the 3550 per-port per-VLAN classification.

The classification criteria are very limited, compared to IOS routers. You cannot match packet size or packet payload. Additionally, you cannot do hierarchical matching, with exception for per-VLAN classification feature. These limitations are result of tight hardware optimization in the Layer 3 switches.

Pay attention to the behavior of the class “class-default” with the Catalyst QoS. This class works fine in the 3560 switches, matching both IP and non-IP traffic. However, it seems to work inconsistently or does not work at all with the 3550 switches. In the latter model, as a workaround, create special classes to match either all IP or all non-IP traffic using IP/MAC ACLs:

ip access-list standard ALL_IP
 permit any
!
mac access-list extended ALL_MAC
 permit any any 0x0 0xFFFF
!
class-map ALL_IP
 match access-group ALL_IP
!
class-map ALL_MAC
 match access-group ALL_MAC

Under a class in the policy-map you can either trust (CoS, DSCP, IP Precedence) or set (DSCP, IP Precedence) the respective QoS marking. Note that you cannot set CoS value directly in the 3560 switches, but you can set DSCP for non-IP packets. The switch translates DSCP into CoS using the DSCP-to-CoS mapping table. The same holds true for the 3550 switches – you can set DSCP on the non-IP packets and it is translated to the CoS. Note the special feature of the 3560 switches: the QoS marking you trust or set is later used to look up the DSCP or CoS to queue/threshold mapping tables. This is because the 3560 defines two egress mapping tables: one for DSCP and other for CoS values, based on the complex structure of the QoS label.

In the 3550 switches you can set CoS value directly in one special case. First, you need the global command mls qos cos policy-map. Using this feature, you must trust DSCP marking and set Layer 2 marking using the set cos command. This simulates the behavior of “CoS pass-through” feature available at the interface-level settings. The set cos feature only works when you trust DSCP. Furthermore, the 3550 performs all QoS processing and deduces internal DSCP based on the trusted dscp value, not the CoS value set with the policy map.

With both switch models, you can either configure set dscp or set ip precedence but not at the same time, of course – the one configured later erases the previous one. Also, if a class contains ”trust” and “set” statements for the same type of marking (e.g. L3 or L2) the trust statement takes precedence over explicit set.

Aside from that, trust feature works the same way as it works on the interface but has scope limited to the class defined by ACL.

Remember that applying a service-policy will remove any interface-level QoS settings on the interface, with exception to the default CoS (which is used by the policy map when you trust CoS inside a class). If the input packet doest not match any class in the service-policy, the switch will set all marking to zero. If you trust CoS for IP or non-IP packets and there is no 802.1q/ISL header the switch will take the default CoS value from the interface settings or use zero markings.

Brian Dennis and Brian McGahan, Co-Founders of Internetwork Expert, will make a major corporate announcement during an online webcast, Thursday, October 30th at 11AM PDT.

Who: Brian Dennis and Brian McGahan: Co-Founders of Internetwork Expert
What: Major Corporate Announcement
Where: Online Webcast
When: 11 a.m. (PDT) Thursday, October 30th, 2008

Click Here To Register Now

If you are not able to attend this live event, a recording will be posted shortly afterwards.

Current customers please note, this announcement will not affect the status of our Investment Protection Program. All previous, current, and future purchases are still protected under this plan!

Recently as most rack rental customers are aware of it’s not easy to find an available rack or mock lab session.  Our security rack rentals are running near 100% capacity, the SP racks are also near 100% capacity, voice is already near 75% capacity and R&S rack rentals are near 92.5% capacity.   Currently we are out of power and space at our two offices in the Reno Technology Center.  We have just signed a lease on a new 4200sqft hosting facility.  This will allow us to expand to over 400 CCIE racks.  We have already started purchasing the additional hardware for the new racks and they should start becoming available in November so watch for sessions that are currently sold out to become available.

Around the middle of November you will see the start times of the rack rentals and mock labs vary (every 3 hours a session will start).  This is designed to accommodate our customers in Europe, the Middle East and Asia.   Currently the sessions start at inconvenient times for customers in these locations.

The voice racks now support EZVPN and SSL VPN connections.  We have installed two VPN routers for redundancy and to allow for multiple connections.   This means you can now use your own phones and/or soft phones.  We are also adding additional 7960s to each rack.  After next week you will see one additional 7960 phone added to the HQ site bringing the total to three 7960s and one additional 7960 for the BR1 site bring the total to two 7960s.

We will have a voice bootcamp rental kit available for anyone running their own voice CCIE bootcamps.   Currently vendors that are renting out our voice racks for bootcamps need to provide their own IP phones and router/PIX/ASA for the VPN connection.  The new kit that is identical to the kit we will start using for the voice bootcamps includes (per student) three 7960 phones, an ATA 186 and an analog phone.  There is also one VG248, two 3550 24 port PoE switches, one 2811 and the necessary cables needed to connect everything up.

I would like to add that our voice rack rentals are only $15 per 5.5 hours.   In addition to our voice products and classes you should be able to do any vendor’s practice labs on our voice racks.  To view our topology click here.

Since the rumor seems to be out that something big is brewing at Internetwork Expert I thought I would let everyone know that yes we will be making a big announcement early next week.  Everyone just stay tuned!

Update:  A few people have asked if they should wait to make a purchase until after the annoucement.  The answer is no.   You actually have an advantage if you purchase before the annoucement.    Example:  if you purchase a self-paced E2E today and the self-paced E2E changes next week you are covered by our Investment Protection Program.

One of the new technologies to be featured in the CCIE Security 3.0 blueprint is the GET VPN. This blog post will give you the basics of this new and exciting technology.

Here is the scenario; you are a large corporation with multiple branch offices that need VPN connections between them in order to protect data that needs to be shared from branch to branch. The standard Cisco solution is to create point-to-point IPSec VPNs between these branch offices. This can quickly become a nightmare for administration, obviously, as this “any to any” encryption model using traditional VPN methodologies simply does not scale. Helping to exasperate this issue is the replication of multicast traffic and the extreme difficulty of implementing Quality of Service mechanisms across the core of the network.

The Group Encrypted Transport VPN model has your routers become trusted members of VPN groups as a replacement for the point-to-point model. Secured packets now use the existing router infrastructure and have their original IP header preserved. This helps to ensure that intelligent services like QoS and multicast are no longer implementation problems!

Another huge scalability issue with the traditional, point-to-point approach for “any to any” VPNs is key management. The GET VPN features simplified security policy and key distribution thanks to the Group Key Distribution Model. This model uses Group Domain of Interpretation (GDOI) as specified in RFC 3547.  The Group Key Distribution Model features a Key Server (a Cisco router) that authenticates group members, and handles the distribution of security policies and any required keys. In the interests of further scaling this already scalable solution, as well as improving availability, Cooperative Key Servers can be used across wide geographic distributions.

Here are the core technologies to explore with the GET VPN feature:

• Group Domain of Interpretation (GDOI) RFC 3547
• Key Servers (KS)
• Cooperative Key Server (COOP KSs)
• Group Member (GM)
• IP tunnel header preservation
• Group security assocaition
• Rekey mechanism
• Time-based anti-replay (TBAR)

Here are the GET VPN core benefits:

• Large scale any-to-any IPSec security
• Utilizes the underlying IP VPN routing infrastructure
• Integration with existing multicast infrastructures
• IP source and destination address preservation

I certainly hope this post wets your appetite and gives you a framework to begin your studies of the GET VPN technology.