Alhamdulillah, I’ve just passed the CCIE DCv2 Exam

It's been a while, I haven't written any blog since then,

I would like to share my DCv2 experience, off-course in regards with the Cisco’s NDA,

It was around 2 Years preparation, I’ve started to study for DC on mid-2015, when I decided to get the CCIE in DC tracks. But unfortunately, the DC track changed to v2, where Cisco introduce the new Topic, like VXLAN and ACI, as well as new Hardware (N9K), where at that point, I’ve already halfway learned about the topics that was listed on the v2 Blueprint.

With that being said, I’ve decided to took the new DCv2 exam in the late-2016, where I thought I could learned the basic hands-on on the new topics for the v2.

I sat for the exam, the new thing that I’ve learned during that first attempt Lab exam was that CCIE Lab using dual ‘big-screen’, and I was mesmerized: p.

So it was start by Diagnostic section, where basically we are playing role like TAC engineer, receiving information from the Customer, and we were expected to find the root cause of the issue. It was cool, But I felt that a lot of information that were given, and I was quite panic how to start with >.<. basically it was my first time experience dealing with the Diagnostic Session.

The next section was Config, where basically we have to build and/or repair the config, based on the specific guidelines that was given by the question. It was really tough, because I was really dependent on the DocCD, especially for the topics that I was not really familiar with it.

And as I thought, I failed in my first attempt, and I learned that I have to study more, not only for the Technical part of the exam, but also the right strategy on the next attempt.

So went back, spent my nights with the blueprint topics, I used INE to study, where luckily, they’ve already released Video material on the DCv2, I would say the VXLAN & ACI topic presented by Brian M, were really great, They breakdown that Technology into smaller pieces, where they always start with the building the L1-L3 (underlay) and go up. Especially for the ACI parts, where usually my focus was on the EPG and contract relationship, I’ve learned that how the access-policies under the fabric was playing a big important role on the L1-L2 connectivity, and how everything glue together on the ACI, thanks to INE.

After I felt ready, I’ve decided to take my second attempt DC Lab Exam. I flew to the lab exam one day prior to my exam, get to the Cisco office at early morning, where I’ve already stand by in the location at 6.30AM.

Start with the Diag Section, my strategy was to put the questions on one monitor and put all the provided information on the other monitor, it was really help me jump around between questions and information I’ve looking for to answer that question.

In the Configuration section, same strategy, I put my consoles on one monitor and the diagram & questions on the other monitor, again it help me to jump around between question and config the devices. In the second attempt I didn’t draw the Lab diagram like I used to, because I believe I can use the dedicated second monitor to always view the Diagram.

In the middle of the lab exam, I’ve experiencing lab delivery problem, where I called the proctor, and he was spending about 15-20 minutes to troubleshoot the issue, but the good thing was that I’ve got an extended time to finished the lab.

I was counting my points, make sure that I’ve collected enough points that I consider to be safe, and I’ve only got about 40 Minutes left to re-verified all my works on the Config sessions.

When the lab finished, I went to the hotel with a blank state, worrying that I should take another attempt. When I got to the hotel, I’ve got the emailed that my Lab score could be seen, and I’ve grab my laptop right away to see the result, with my heart pounding really fast……..

When I say the exam report, I saw that I’ve passed the Exam, Alhamdulillah.

I basically don’t believe at that moment, I’ve rechecked the lab score again, as well as the CCIE verification, and got to the conclusion that I passed that CCIE DC lab exam…..

I was really happy that finally I can pass the exam, I would like to thank you to God for granting my wishes to pass the Exam and my families for their supports.

I think I would spend another weeks to enjoy the moments…..

Front VRF (FVRF) Technology

Front-VRF Feature is essentially is a feature that will make us enable to inject Default Route from IGP within Tunnel Interface, in VPN Deployment. Where normally our router will have static route configured to the upstream Internet Router / having Default route from DHCP Router.

In that case, we cannot afford to install the Dynamic Route from IGP, in our case EIGRP, because the AD is bigger than the static, if we tend to change the AD on the EIGRP side, then the tunnel between R1 and R6 will be break down….

One study case that will fit this FVRF Feature is this, imagine that you are the one who responsible to manage HQ and Branch network in the Bank XYZ. The XYZ Bank has the compliance, stated that all traffic from the branch (Either Internal and Internet Access) MUST be traverse to the HQ. With this style of compliance, meaning that all the Security and other Technical stuff, most of the part, will be done in the HQ, and branch offices will just configure the route that will lead to the HQ WAN Router, simply right?

But with the deployment of direct internet on the Branch, this will lead to the difficulty to managed the traffic, especially from Branch to the Internet, because now they CAN directly access to the Internet without to traverse to the HQ WAN Router. Meaning that you, as a IT Service guy should make a Compliance & Security configuration template and must be configured on every single Branch Network and or security Equipment right? Yaiks, that is gonna be a lot of work.

What if we can make, even when the branch offices having direct Internet Connection, their internet traffic SHOULD traverse to the HQ WAN Router, then Internet Access from branch will be treated as a traverse through WAN link, which is now gonna be VPN Tunnel (through GRE for example). This mean that we can achieve the Compliance of this XYZ Bank, eventhough the every Branch Offices now having direct Internet connection, is it very compelling?

Let’s get down to our simple example here

Our scenario consist of 4 Devices, where they have the following roles

• R1 (HQ WAN Router) --> Advertise Lo1 (172.16.1.1/24), Router that will have tunnel with R6.
• R6 (Branch Router with Direct Internet Access) --> Advertise Lo1 (172.16.6.6/24), Router that will have tunnel with R1.
• SW1 (Internal Network that having default route to HQ Internet) --> Internal EIGRP Router that adjacent with R1, this Switch is advertise default-route to the EIGRP 100 (11.11.11.11/32)
• R99 --> Dummy Internet Router that only recognize the IP Public Subnet (exclude 11.11.11.11/32)

So in this case, the default route to the Internet will be handled by the FVRF and the default route from the IGP will be handle by the global routing table on each Router.

R1 Configuration

! interface Loopback1  ip address 172.16.1.1 255.255.255.255  ipv6 address 2001:172:16:1::1/128 ! interface Ethernet0/3  //Connection to SW1  ip address 10.1.11.1 255.255.255.0 ! vrf definition FVRF  rd 1:1  !  address-family ipv4  exit-address-family ! interface Serial2/0  //Connection to the Internet  vrf forwarding FVRF  ip address 123.1.99.1 255.255.255.0  encapsulation ppp  serial restart-delay 0 ! ip route vrf FVRF 0.0.0.0 0.0.0.0 123.1.99.99 ! interface Tunnel16  ip address 192.168.16.1 255.255.255.0  tunnel source Serial2/0  tunnel destination 123.6.99.6  tunnel vrf FVRF ! router eigrp 100  network 10.1.11.1 0.0.0.0  network 172.16.1.1 0.0.0.0  network 192.168.16.1 0.0.0.0 !

R6

! interface Loopback1  ip address 172.16.6.6 255.255.255.255  ipv6 address 2001:172:16:6::6/128 ! vrf definition FVRF  rd 6:6  !  address-family ipv4  exit-address-family  !  address-family ipv6  exit-address-family !    interface Serial2/0 //Connection to the Internet  vrf forwarding FVRF  ip address 123.6.99.6 255.255.255.0  encapsulation ppp  serial restart-delay 0 ! ip route vrf FVRF 0.0.0.0 0.0.0.0 123.6.99.99 ! interface Tunnel16  ip address 192.168.16.6 255.255.255.0  tunnel source Serial2/0  tunnel destination 123.1.99.1  tunnel vrf FVRF ! router eigrp 100  network 172.16.6.6 0.0.0.0  network 192.168.16.6 0.0.0.0 !

SW1

! interface Loopback0  ip address 11.11.11.11 255.255.255.255  ipv6 address 2001:11:11:11::11/128 ! interface Loopback1  ip address 172.16.11.11 255.255.255.255  ipv6 address 2001:172:16:11::11/128 ! interface Vlan101  ip address 10.1.11.11 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 Loopback1 ! router eigrp 100  network 10.1.11.11 0.0.0.0  redistribute static metric 1 1 1 1 1 !

R1 Verification

R1#sh ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        + - replicated route, % - next hop override Gateway of last resort is 10.1.11.11 to network 0.0.0.0 D*EX  0.0.0.0/0 [170/2560025856] via 10.1.11.11, 00:11:10, Ethernet0/3       172.16.0.0/32 is subnetted, 2 subnets D        172.16.6.6 [90/27008000] via 192.168.16.6, 00:05:19, Tunnel16 R1# R1#ping 11.11.11.11 sou lo1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms R1#sh ip route vrf FVRF Routing Table: FVRF Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        + - replicated route, % - next hop override Gateway of last resort is 123.1.99.99 to network 0.0.0.0 S*    0.0.0.0/0 [1/0] via 123.1.99.99       123.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C        123.1.99.0/24 is directly connected, Serial2/0 L        123.1.99.1/32 is directly connected, Serial2/0 C        123.1.99.99/32 is directly connected, Serial2/0 R1# R1#ping vrf FVRF 4.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms

R6 Verification

R6#sh ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        + - replicated route, % - next hop override Gateway of last resort is 192.168.16.1 to network 0.0.0.0 D*EX  0.0.0.0/0 [170/2561305856] via 192.168.16.1, 00:06:06, Tunnel16       10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D        10.1.11.0/24 [90/26905600] via 192.168.16.1, 00:06:06, Tunnel16       172.16.0.0/32 is subnetted, 2 subnets D        172.16.1.1 [90/27008000] via 192.168.16.1, 00:06:06, Tunnel16 R6# R6#ping 11.11.11.11 sou lo1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds: Packet sent with a source address of 172.16.6.6 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 19/19/21 ms R6# R6#traceroute 11.11.11.11 sou lo1 Type escape sequence to abort. Tracing the route to 11.11.11.11 VRF info: (vrf in name/id, vrf out name/id)   1 192.168.16.1 19 msec 18 msec 18 msec   2 10.1.11.11 18 msec *  20 msec R6# R6#sh ip route vrf FVRF Routing Table: FVRF Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP        + - replicated route, % - next hop override Gateway of last resort is 123.6.99.99 to network 0.0.0.0 S*    0.0.0.0/0 [1/0] via 123.6.99.99       123.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C        123.6.99.0/24 is directly connected, Serial2/0 L        123.6.99.6/32 is directly connected, Serial2/0 C        123.6.99.99/32 is directly connected, Serial2/0 R6# R6#ping vrf FVRF 4.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms

You may add encryption to the tunnel between R1 and R6 as well, we are going to discuss this in separate topics.

I hope it has been informative for you and I’d like to thank you for reading.