Training with Firebrand

Firebrand are simply that good!  I have exprienced a lot of bad courses over the years, and experience some of you may have also shared!  To be honest my main gripes have been the following:

1. Courses not long enough to adequately cover materials
2. Instructors who start with "we aren't going to cover XYZ" as you can study that yourself, the worst one was turning up and being told "we won't be covering IPV6" here is a self study cd from cisco instead you can take with you (It was the IPV6 i was really there for!!!)
3. Being stuck in group dependent labs with people who didn't know the basics and then sitting waiting for them to complete, to the point where on one course I insisted on a lab setup for myself or I wanted my money back as I was the only one who had any hands on experience, (no one met the pre-requisites except me.
4. Instructors who rush the material to finish an hour early
5. Non official curriculum that you can see from day 1 doesn't cover all the topics.
6. Not enough time to do labs and think about what you are actually doing just typing away.... no point.

The list could go on - I was a trainer myself and I can recognise an instructor fed up with teaching the subject they are on..  and an instructor who can't be bothered or simply can't help a student troubleshoot an issue or explain a techniuque differently because they don't really have the depth themselves.

that said one of the best instructors I ever had was a lady who said - we aren't doing the labs provided they are worthless and here are the ones we will use - made by herself and brilliant, she even had a floppy disk (yep that far back) with all the configs so if you got stuck you could go back or load up if fed up of troubleshooting something, and from my recollection she could troubleshoot anything that you had buggered up.

With all this in mind I found myself in a quandry - I wanted to renew my CCNP, I have had a time off studying through work and illness so wanted a course to catch up on whats new and as final prep for the exams - I stress final prep because going on a course without covering the material or concepts first is a recipee for overload and not gaining understanding.

So I scouted about and came up with Firebrand training - http://www.firebrandtraining.co.uk they seemed to have good reviews, and not just those on their website but ones on blogs and forums.  So with some Cisco credits in hand negotiated with Cisco and BT I booked onto the CCNP route bootcamp.

I arrived a day early as I always do so I can settle myself in clear my head of work and family and get ready to work.  Straight away you could see firebrand was something different, the location at Wyboston Lakes is amazing - there is a brand to it (no bad thing) and you can see the staff have bought into it and have pride in their job. 

The training facility is spacious, with a lounge that provides basically free everything, hot cold drinks sweets, fruit and a not for profit chocolate vending machine.   There's and Xbox and all the staff are close by and happy to answer anything you ask without looking like you are interrupting them.  In short they are professionals (everyone) and courteous, you instantly feel settled in and raring to go.

The hotel accomodation is great and so is the food, my room had places to fit the books and training materials I had brought with me and the TV let me use it as a second screen for my surface pro.  There was a desk lamp plenty of desk space to lay out materials.  The staff know who you are and why your there, they obviously have a good relationship with Firebrand as they seemed completely natural about firebrand questions.

At lunch i was asked by the serving staff what i was there for, was I enjoying the stay and it didn't seem scripted they were just nice people... I was starting to feel like I had slipped into the "other training dimension" that you imagine but doesn't really exist.

The biggest room bonus was the Shower (hot and powerfull) thats always a big winner for me!

My course induction was on a Saturday at 6pm and it was a proper induction and then straight onto the classroom for introductions and going through the logistics.   I walked in and WOW there was actual kit available if I wanted it (not seen that since the old days) although the labs were to be online and official cisco ones - bonus you get access for 60 days!

My instructor Dave Peek was obviously still enthused and set the tone for the rest of the week with a plan of how things would go, we then started straight away on some basic recaps - he didn't just say we will get started tomorrow!  There was none of the we aren't going to cover xyz or rush through it was your here for 8 days and we will be doing 12 hr days.   Not only that the training centre is open 24/7 and the instructor is normally around till 9:30.... find that anywhere else!

There was a good mix of students - firebrand is global so they were from uk and abroad - all of them met the pre-requisites but with a mix of experience and roles.  We had our evening meal and the instructor sat with us, not slinking off to avoid the students.

So for me the biggest selling point so far is the whole scenario of firebrand, they seem to have thought of everything - they have made sure all you need to succeed is there and they aren't out to squeeze every little penny from you whilst on site - you could easily go through the whole course without buying anything more or needing a trip to the shops...  Right down to the "failing is not an option Tshirts for only £5.00)  the message is you have paid and we are going to deliver on that...   They take their reputation seriously.

So it would be right in assuming I am a bit of a cynic when it comes to training companies, and if they can win me over you know that they are really that good.   I made it my business to "chat" to other candidates on other courses and they all shared the same feeling.

There's a lot more of the course to go so I will finish this post up later with my final review all I can say is if they deliver on the rest - if I fail it's down to me and nothing else - which is a great feeling.

If I have my way this is where my team will be doing all their training!!

Remembering Cisco Logging Levels:

Remembering lists can be dry and difficult; I like to use the journey method and take myself on a journey through a list.   Once I have the headings down I can then "tag" on the additonal knowledge, it's a bit like making a framework to build on.

Here is an example I used to remember the Cisco logging levels, if your studying for the troubleshooting exam this one should be burned into your head!

The error levels:

0 – Emergencies  - There was an emergency

1 – Alerts – You alerted the police

2 – Critical Conditions – A man was in a critical condition

3 – Errors – This was an error he was fine

4 – Warnings – you got a warning for wasting police time

5 – Notification – They sent you a notification of it

6 – Information – It contained information

7 – Debug – the man was only suffering from debug that everyone else has.

This then simply becomes:

There was an Emergency, you Alerted the police! A man in Critical Condition, however this was an Error, you received a Warning from the police for wasting their time.  A Notification arrived that contained Information that he just had Debug that everyone else had.

After studying the art of "remembering" there are some useful things you can do to help yourself, the more ridiculous or funny you make your journey the more likely you are to remember it.  Visualise your journey as if it was actually something you did, these reinforce the memory and help your mind retain it.

Apparently this phenomenon is related to the way our memories evolved from the Cave man days where things would be remembered in the form of a journey and drawn on cave walls, our minds are still wired to work that way!

The whole area of how we remember and the techniques used to improve memory can make for fascinating reading.   If you want to learn more google for "the link system".

OSPF Link Count and the Stub Network Issue:

This is a quick and dirty blog on an issue I came across when discussing the relationship between the number of physical interfaces and ospf link counts I hope it’s useful.

Understanding link counts can be critical to ospf troubleshooting, if you don’t understand how the link count is generated and its relationship to the physical link count then you can’t accurately predict how many LSA’s you should be seeing!

Examine the output below:

Core_3#show ip ospf database

Link ID         ADV Router      Age         Seq#       Checksum Link count

10.1.1.1        10.1.1.1        1767        0x80000005 0x006047 4

10.1.2.1        10.1.2.1        1001        0x80000008 0x002A9B 5

10.1.3.1        10.1.3.1        1766        0x80000005 0x00790A 3

10.1.4.1        10.1.4.1        1001        0x80000004 0x00DE64 3

Note there is a link count of 15 (we will look at this more closely)

Looking at the links for 10.1.3.1 Core_3  we can see that there is a link count of 3 but this router actually has only 2 physical?

 Whats going on??

To understand this take a look at the interfaces on core_3:

Core_3#show ip ospf interface

Serial1/0 is up, line protocol is up

  Internet Address 10.1.123.3/24, Area 0

  Process ID 1, Router ID 10.1.3.1, Network Type POINT_TO_MULTIPOINT, Cost: 64

  Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT

  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5

    oob-resync timeout 120

    Hello due in 00:00:25

  Supports Link-local Signaling (LLS)

  Cisco NSF helper support enabled

  IETF NSF helper support enabled

  Index 2/2, flood queue length 0

  Next 0x0(0)/0x0(0)

  Last flood scan length is 1, maximum is 1

  Last flood scan time is 0 msec, maximum is 0 msec

  Neighbor Count is 1, Adjacent neighbor count is 1

    Adjacent with neighbor 10.1.1.1

  Suppress hello for 0 neighbor(s)

Loopback3 is up, line protocol is up

  Internet Address 10.1.3.1/24, Area 0

  Process ID 1, Router ID 10.1.3.1, Network Type POINT_TO_POINT, Cost: 1

  Transmit Delay is 1 sec, State POINT_TO_POINT

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

    oob-resync timeout 40

  Supports Link-local Signaling (LLS)

  Cisco NSF helper support enabled

  IETF NSF helper support enabled

  Index 1/1, flood queue length 0

  Next 0x0(0)/0x0(0)

  Last flood scan length is 0, maximum is 0

  Last flood scan time is 0 msec, maximum is 0 msec

  Neighbor Count is 0, Adjacent neighbor count is 0

  Suppress hello for 0 neighbor(s)

We can see that there is a point to multipoint interface and a point to point interface.

Now let’s have a look at the interfaces on another router called Core_2

Examining the interfaces on core 2 you will find there are three physical links 2 x point to point and 1 x point to multipoint but again this router is showing  a link count of 5 and this is your first clue as to what is going on, remember each link is described by an LSA.

If we look closer at the LSA’s generated for point-to-point links you will find that a point to point link is described by two LSA’s one LSA describes the link to another router (point-to-point) and another that describes the subnet between them as a stub network, we can better understand this by examining the link as follows:

CORE_2#show ip ospf database router self-originate

            OSPF Router with ID (10.1.2.1) (Process ID 1)

                Router Link States (Area 0)

  LS age: 518

  Options: (No TOS-capability, DC)

  LS Type: Router Links

  Link State ID: 10.1.2.1

  Advertising Router: 10.1.2.1

  LS Seq Number: 80000006

  Checksum: 0x2E99

  Length: 84

  Number of Links: 5

    Link connected to: another Router (point-to-point)

     (Link ID) Neighboring Router ID: 10.1.4.1

     (Link Data) Router Interface address: 10.1.124.2

      Number of TOS metrics: 0

       TOS 0 Metrics: 64

    Link connected to: a Stub Network

     (Link ID) Network/subnet number: 10.1.124.0

     (Link Data) Network Mask: 255.255.255.0

      Number of TOS metrics: 0

       TOS 0 Metrics: 64

From the above you can see that for the link to 10.1.4.1 two lsa’s are generated describing the link to the other router and the network itself as a stub network. One more point, you may not be aware that there are several types of “TYPE 1 LSA’s” here’s a handy reference table for them:

LSA Type 1 (Router LSA)
Link Type	Description	Link ID Field contents
1	Point to point link to another router	Neighboring routers id
2	Link to a transit area	DR’s interface address
3	Link to a stub network	Network/Subnet number
4	Virtual Link	Neighboring router ID

I like to think of it this way, if you have only one choice of where you enter and where you leave the network and no election is held then ospf describes it as a stub.   If there is an election held and there are multiple exits (shared subnet) then it is described as a transit network.

This is an important concept to grasp, talking with others who are studying ospf they get really confused when there links don’t tally up, so keep that in your head point-to-point links take two LSA’s to describe them and the number of physical links do not equal the number of LSA link counts.

Access List Notes

                Wouldn’t it be nice if all of the information that flows through your network could be controlled?  Wouldn’t it be nice if you could look into the heart of the information flowing around your network and decide where that information was allowed to go?  With Cisco routers you can, and this control is accomplished with Access Lists.  Access Lists are used to identify what traffic can pass through a router and better yet they can differentiate data not only on where it’s coming from or going to, they can also differentiate on the protocol being used. 

What Is An Access List

                An access list is similar to the old basic programs for early computers.  It is a sequential list of statements that the router reads from top to bottom, each statement being an instruction to the router in how to process traffic coming into or leaving a particular port.  In use access lists can be thought of a doorman who decides who can enter and leave the building.

Why Do You Need Access Lists

                The control that access lists give you is all very well, but why would you want this control on your network?  Well there are a variety of reasons:

·         Managing traffic

·         Maximising Bandwidth Potential

·         Security

Managing Traffic

              When the first networks were linked there was not a great deal of traffic between them, however as networks grew in size and complexity they also began to generate more and more traffic.  This growth is mirrored in many organisations today who start out with a single LAN environment and then the company expands and these LAN’s become linked.  Pretty soon the traffic between these sites becomes unmanageable.  Access lists can be the first step in controlling the flow of data between sites and managing the variety of traffic between them.  Another way in which they manage traffic is in temporary links between sites such as an ISDN router that is only used to provide DDR (Dial On Demand Routing) communication on an ad hoc basis. You can set an access list up so that only meant to cross over the connection is deemed “Interesting” enough to cause the router to dial up and establish the temporary link.

Maximising Bandwidth Potential

                The cost of communication over a WAN is still relatively expensive, even for larger companies.  This cost is directly related to the bandwidth used on those links, with many telecommunication companies giving a fairly heavy premium if a company exceeds their bandwidth quota.  Access lists help you maximise your bandwidth potential by managing your traffic, thereby limiting unnecessary traffic on your wan links and saving your company money. 

Security

                Although not their prime or intended function access lists can also be used as a security measure.  Imagine you have a sensitive research facility that needs to be able to communicate with other parts of the network that may not be so secure.  With access lists you can prevent any traffic going into the facility but not traffic going out, you can even differentiate between traffic that has been initiated from within the sensitive area.

Numbered IP Access List Types

            There are two types of access lists Standard and Extended.  They can be defined by the way in which they identify traffic.

Standard IP Access Lists – (1 – 99)

Standard IP Access Lists can be used to permit or deny traffic based on the source address of the traffic.  They can only permit or deny traffic on a range of addresses and therefore block all traffic for that protocol suite.  Although limited in function, standard access lists are still useful for situations requiring no granularity in the control of a particular protocol suite.

Standard IP Access List Command Format

Router(config)# access-list  [number] [permit/deny] [source] [mask]

Parameters

·         [access-list] – primary command

·         [number] – specifies standard access list number in the range 1-99

·         [permit/deny] – specifies whether entry permits or denies against listed condition

·         [source] – source ip-address of the traffic

·         [source mask] – identifies which bits in the address field will be checked

Standard IP Access List Example:

The following example will only allow traffic from the subnet 192.168.0.0 out of ports   S 0/0  and S 0/1. 

Birmingham(config)# access-list 10 permit 192.168.7.0 0.0.255.255

Birmingham(config)# Int S 0/0

Birmingham(config-if)# ip access-group 10 out

Birmingham(config-if)int s 0/1

Birmingham(config-if)# ip access-group 10 out

Extended IP Access Lists – (100 – 199)

Extended Access Lists can be used to permit or deny traffic bases on not only the source address but also the destination address: protocol type and port number.  This gives much greater control and granularity when specifying what traffic can pass through a router.  Although more powerful than Standard Access Lists, care should be taken when using them as it is very easy to find yourself blocking traffic that should otherwise be let through.

Wild Card Bits:

Being able to specify a single address is great for granularity and fine control over the traffic on your network but it can soon become tedious if you have to write an access list permit or deny statement for every single address on your network.  This is where wild card bits come in handy, they allow you to specify a range of addresses or even an entire subnet.

To understand wildcard bits you need to delve back into the realm of binary.

Lets examine the following subnet id

192.168.7.0 = 11000000.10101000.00000111.00000000

If we wanted to match only certain bits we would have to mask them off and we mask them off by putting a 0, if we wish to ignore a bit for matching purposes we would use a 1.

If we wanted to specify traffic only from subnet 192.168.7.0 we would use the following wildcard mask.

IP Address                          11000000.10101000.00000111.00000000

Wild Card Mask 00000000.00000000.00000000.11111111

                                                Must Match         Must Match       Must Match      Any Combination

Wild Card Mask         0        .        0        .       0         .      255 

Keywords for wildcard masks:

Any  = 0.0.0.0 0.0.0.0  (check all bits on all subnet ID’s)

Host =  when this precedes an ip address it indicates all bits should be checked for example:   172.30.16.29 0.0.0.0 can be replaced with host 172.30.16.29

Note* depending on whether you use a permit or deny statement you may be allowing traffic to a range of ip addresses or allowing traffic from a range.

Extended IP Access List Command Format:

router(config)# access-list [number] [permit/deny] [protocol] [source] [source mask] [operator] [port] [destination] [destination wildcard] [operator] [port] [established] [log]

Parameters

·         access-list – primary command

·         [number] – specifies extended access list number in the range 100 – 199

·         [permit/deny] - specifies whether entry permits or denies against listed condition

·         [protocol] – specifies the protocol to be permitted or denied

·         [source] – identifies the source ip address of the traffic

·         [source mask] – specifies the wildcard bits to use against the traffic source

·         [operator] – specifies a logical operator to be tested against the port number (see table)

·         [port] – specifies the port number

·         [destination] - identifies the destination ip address of the traffic

·         [destination mask] – identifies the wildcard bits to use against the destination ip address

·         [established] – allows traffic to bypass access lift if it has the ack bit set indicating that the session is already established.

·         [log] – sends a message to the console

Table Of Port Numbers and Operators Used With Extended Access Lists:

There are many port numbers, the ones listed here are commonly used ones along with the operators that may be used in conjunction with them.

Port Number	Protocol
20	FTP – Data	TCP
21	FTP – Control	TCP
23	Telnet	TCP
25	SMTP	TCP
53	DNS	TCP/UDP
69	TFTP	UDP
80	HTTP	TCP
Operator	Meaning
lt	Port numbers less than specified port
gt	Port numbers greater than specified port
eq	Port number specified
neq	Port numbers other than the specifed port

Extended IP Access List Example:

The following access list will deny all telnet traffic from network 192.168.7.0 out of interface s 0/1.

Router(config)# access list 111 deny tcp 192.168.7.0 0.0.0.255 any eq 23

Router(config)#access list 111 permit ip any any

Router(config-if)# ip access-group 111 out

Note* the any  keyword is a short way of saying all ip addresses and all subnet masks

Named Access Lists

If your router is using Cisco IOS 11.2 or later you can use named access lists.  These access lists allow you associate a standard or extended access list with a name.  This has the advantages of allowing you to easily remember your access lists and it also allows you to delete individual entries from an access list without having to re-enter the entire access list.  

Like numbered access lists, named access lists can be standard or extended and follow the same filtering rules as their numbered counterparts.  There are no particular naming conventions attached to access lists however you do have the option to chose either a name or a number.  If you chose a number the same rules will apply as if creating a named access list your just using the same number ranges you did with numbered access lists!! Confusing!!!

The ip access-list command:

ip access-list [standard/extended] [number/name]

EX:

R1(config)#  ip access-list standard 35  “this is a numbered example but a name could be used”

R1(config-std-nacl)#permit 45.2.3.0 0.0.0.255 

R1(config-std-nacl)#permit 45.2.4.0 0.0.0.255

Editing Access Lists:

It is possible to edit both numbered and named access lists, as long as they were created with the “ip access-list” command and not the “access-list” command.

In order to edit or remove an access-list statement in either a numbered or named access list you must first show the access list with the “show ip access-list” command.  Then you have a choice, to edit the statement simply reference the access-list statement by line number in the access-list sub configuration mode, or to delete an entire line simply ad the no statement in front of that statement and number.  To add an additional statement between two other statements simply insert a new number between them.

Inbound Or Outbound Mode

Access lists are no good unless they are applied to a specific interface.  When you apply an access list you can apply it in one of two modes: inbound or outbound.

Inbound Access Lists
           

Inbound access lists apply to traffic coming into the router.  Inbound access lists are more efficient because the traffic is tested against an access list before being routed to an outbound interface.  

Outbound Access Lists

                Outbound access lists apply to traffic leaving the router.  Outbound Access Lists are less efficient because they require the overhead of internally routing the traffic before it is checked against an access list. 

Applying An Access List:

For an access list to work you need to apply it to an interface as either an outbound or inbound access list.  The command for doing this is as follows:

Router(config-if)# [ip] [access-group] [number] [in/out]

·         [ip] – indicates an ip access list.

·         [access-group] indicates a group of statements with a common access list number.

·         [in/out] – indicates whether the access list is applied to inbound or outbound traffic.

Applying Access Lists to VTY Lines:

You can also use standard access lists to limit access to VTY lines. For example:

router(config)#access-list 4 permit 172.16.35.4

router(config)#line vty 0 4

router(config)#access-class 4 in

Access List Rules and Regulations:

·         Access lists are parsed top to bottom and if a packet matches against a criteria it is forwarded so it is imperative that a deny statement meant for a particular packet type is put before any permit statement that would pass it – a good rule of thumb is to place all of your deny statements at the top of your access list and all of your permit statements at the bottom.

·         The access list contains an implicit deny all – this means that if a packet does not match any of the criteria you have set it will be discarded automatically.  This can cause you serious problems if you place an access list denying traffic on a remote router only to find you have locked yourself out.

·         Place the most frequent test criteria at the top of your access list, this will save on processing overhead making your list more efficient.

·         Check your access list before entering it, you cannot go back and delete or add a line, to change it you will have to delete it and re-enter the entire list.  The exception to this rule is a named access list, which allows you to delete a line.

·         When placing extended access lists place them close to the source

·         When placing standard access lists place them close to the destination

·         Only one access list per interface is allowed

Other IP Access List Commands:

To remove an IP access list you use the following command in global configuration mode:

[no] [access-list] [number]

Parameters:

·         [no] indicates the following is not required any longer

·         [access-list] specifies an access-list

·         [number] specifies the access-list number

To remove an IP access list from an interface use the following command in interface configuration mode:

no ip access-group [number] [in/out]

To verify access list operations the following commands are useful:

router# show ip interface

The output from this command will show what access lists are configured against one or more interfaces.

router# show access-lists

The output from this command will list all access lists configured on the router or only the list specified if you add an access list number.

Access Lists and Debugging:

It is possible to combine an access list and debug commands.  Why would you want to do this?  Imagine a scenario where you want to examine packets flowing between hosts, create an access list that finds this flow interesting and then issue the following command:

router#debug ip packet X [detail]

• X = access list you are referencing
• Detail = keyword to provide detailed logging information

Caution:  debug commands take resources and can bring a system to a halt so be selective and turn off when needed.