Firebrand are simply that good! I have exprienced a lot of bad courses over the years, and experience some of you may have also shared! To be honest my main gripes have been the following:
1. Courses not long enough to adequately cover materials
2. Instructors who start with "we aren't going to cover XYZ" as you can study that yourself, the worst one was turning up and being told "we won't be covering IPV6" here is a self study cd from cisco instead you can take with you (It was the IPV6 i was really there for!!!)
3. Being stuck in group dependent labs with people who didn't know the basics and then sitting waiting for them to complete, to the point where on one course I insisted on a lab setup for myself or I wanted my money back as I was the only one who had any hands on experience, (no one met the pre-requisites except me.
4. Instructors who rush the material to finish an hour early
5. Non official curriculum that you can see from day 1 doesn't cover all the topics.
6. Not enough time to do labs and think about what you are actually doing just typing away.... no point.
The list could go on - I was a trainer myself and I can recognise an instructor fed up with teaching the subject they are on.. and an instructor who can't be bothered or simply can't help a student troubleshoot an issue or explain a techniuque differently because they don't really have the depth themselves.
that said one of the best instructors I ever had was a lady who said - we aren't doing the labs provided they are worthless and here are the ones we will use - made by herself and brilliant, she even had a floppy disk (yep that far back) with all the configs so if you got stuck you could go back or load up if fed up of troubleshooting something, and from my recollection she could troubleshoot anything that you had buggered up.
With all this in mind I found myself in a quandry - I wanted to renew my CCNP, I have had a time off studying through work and illness so wanted a course to catch up on whats new and as final prep for the exams - I stress final prep because going on a course without covering the material or concepts first is a recipee for overload and not gaining understanding.
So I scouted about and came up with Firebrand training - http://www.firebrandtraining.co.uk they seemed to have good reviews, and not just those on their website but ones on blogs and forums. So with some Cisco credits in hand negotiated with Cisco and BT I booked onto the CCNP route bootcamp.
I arrived a day early as I always do so I can settle myself in clear my head of work and family and get ready to work. Straight away you could see firebrand was something different, the location at Wyboston Lakes is amazing - there is a brand to it (no bad thing) and you can see the staff have bought into it and have pride in their job.
The training facility is spacious, with a lounge that provides basically free everything, hot cold drinks sweets, fruit and a not for profit chocolate vending machine. There's and Xbox and all the staff are close by and happy to answer anything you ask without looking like you are interrupting them. In short they are professionals (everyone) and courteous, you instantly feel settled in and raring to go.
The hotel accomodation is great and so is the food, my room had places to fit the books and training materials I had brought with me and the TV let me use it as a second screen for my surface pro. There was a desk lamp plenty of desk space to lay out materials. The staff know who you are and why your there, they obviously have a good relationship with Firebrand as they seemed completely natural about firebrand questions.
At lunch i was asked by the serving staff what i was there for, was I enjoying the stay and it didn't seem scripted they were just nice people... I was starting to feel like I had slipped into the "other training dimension" that you imagine but doesn't really exist.
The biggest room bonus was the Shower (hot and powerfull) thats always a big winner for me!
My course induction was on a Saturday at 6pm and it was a proper induction and then straight onto the classroom for introductions and going through the logistics. I walked in and WOW there was actual kit available if I wanted it (not seen that since the old days) although the labs were to be online and official cisco ones - bonus you get access for 60 days!
My instructor Dave Peek was obviously still enthused and set the tone for the rest of the week with a plan of how things would go, we then started straight away on some basic recaps - he didn't just say we will get started tomorrow! There was none of the we aren't going to cover xyz or rush through it was your here for 8 days and we will be doing 12 hr days. Not only that the training centre is open 24/7 and the instructor is normally around till 9:30.... find that anywhere else!
There was a good mix of students - firebrand is global so they were from uk and abroad - all of them met the pre-requisites but with a mix of experience and roles. We had our evening meal and the instructor sat with us, not slinking off to avoid the students.
So for me the biggest selling point so far is the whole scenario of firebrand, they seem to have thought of everything - they have made sure all you need to succeed is there and they aren't out to squeeze every little penny from you whilst on site - you could easily go through the whole course without buying anything more or needing a trip to the shops... Right down to the "failing is not an option Tshirts for only £5.00) the message is you have paid and we are going to deliver on that... They take their reputation seriously.
So it would be right in assuming I am a bit of a cynic when it comes to training companies, and if they can win me over you know that they are really that good. I made it my business to "chat" to other candidates on other courses and they all shared the same feeling.
There's a lot more of the course to go so I will finish this post up later with my final review all I can say is if they deliver on the rest - if I fail it's down to me and nothing else - which is a great feeling.
If I have my way this is where my team will be doing all their training!!
Dark Newt's IT Blog
Saturday 3 December 2016
Friday 11 April 2014
Remembering Cisco Logging Levels:
Remembering lists can be dry and difficult; I like to use the
journey method and take myself on a journey through a list. Once I have the headings down I can then "tag" on the additonal knowledge, it's a bit like making a framework to build on.
Here is an example I used to remember the Cisco
logging levels, if your studying for the troubleshooting exam this one should
be burned into your head!
The error levels:
0 – Emergencies -
There was an emergency
1 – Alerts – You alerted the police
2 – Critical Conditions – A man was in a critical condition
3 – Errors – This was an error he was fine
4 – Warnings – you got a warning for wasting police time
5 – Notification – They sent you a notification of it
6 – Information – It contained information
7 – Debug – the man was only suffering from debug that
everyone else has.
This then simply becomes:
There was an Emergency, you Alerted the police! A man in Critical Condition, however this was an Error, you received a Warning
from the police for wasting their time.
A Notification arrived that contained Information that he just had Debug
that everyone else had.
After studying the art of "remembering" there are some useful things you can do to help yourself, the more ridiculous or funny you make your journey the more likely you are to remember it. Visualise your journey as if it was actually something you did, these reinforce the memory and help your mind retain it.
Apparently this phenomenon is related to the way our memories evolved from the Cave man days where things would be remembered in the form of a journey and drawn on cave walls, our minds are still wired to work that way!
The whole area of how we remember and the techniques used to improve memory can make for fascinating reading. If you want to learn more google for "the link system".
Sunday 6 April 2014
OSPF Link Count and the Stub Network Issue:
This is a quick and dirty blog on an
issue I came across when discussing the relationship between the number of
physical interfaces and ospf link counts I hope it’s useful.
Understanding link counts can be
critical to ospf troubleshooting, if you don’t understand how the link count is
generated and its relationship to the physical link count then you can’t
accurately predict how many LSA’s you should be seeing!
Examine the output below:
Core_3#show ip ospf database
Link ID ADV Router Age Seq# Checksum Link count
10.1.1.1 10.1.1.1 1767
0x80000005 0x006047 4
10.1.2.1 10.1.2.1 1001 0x80000008 0x002A9B 5
10.1.3.1 10.1.3.1 1766 0x80000005 0x00790A 3
10.1.4.1 10.1.4.1 1001 0x80000004 0x00DE64 3
Note there is a link count of 15 (we
will look at this more closely)
Looking at the links for 10.1.3.1 Core_3 we can see that there is a link count of 3
but this router actually has only 2 physical?
Whats going on??
To understand this take a look at the
interfaces on core_3:
Core_3#show ip ospf interface
Serial1/0 is up, line protocol is up
Internet Address 10.1.123.3/24, Area 0
Process ID 1, Router ID 10.1.3.1, Network Type POINT_TO_MULTIPOINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:25
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.1.1.1
Suppress hello for 0 neighbor(s)
Loopback3 is up, line protocol is up
Internet Address 10.1.3.1/24, Area 0
Process ID 1, Router ID 10.1.3.1, Network Type POINT_TO_POINT, Cost: 1
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
We can see that there is a point to
multipoint interface and a point to point interface.
Now let’s have a look at the interfaces
on another router called Core_2
Examining the interfaces on core 2 you
will find there are three physical links 2 x point to point and 1 x point to
multipoint but again this router is showing
a link count of 5 and this is your first clue as to what is going on,
remember each link is described by an LSA.
If we look closer at the LSA’s generated
for point-to-point links you will find that a point to point link is described
by two LSA’s one LSA describes the link to another router (point-to-point) and another
that describes the subnet between them as a stub network, we can better
understand this by examining the link as follows:
CORE_2#show ip ospf database router
self-originate
OSPF Router with ID (10.1.2.1)
(Process ID 1)
Router Link States (Area 0)
LS age: 518
Options: (No TOS-capability, DC)
LS Type: Router Links
Link State ID: 10.1.2.1
Advertising Router: 10.1.2.1
LS Seq Number: 80000006
Checksum: 0x2E99
Length: 84
Number of Links: 5
Link connected to:
another Router (point-to-point)
(Link ID) Neighboring Router ID: 10.1.4.1
(Link Data) Router Interface address: 10.1.124.2
Number of TOS metrics: 0
TOS 0 Metrics: 64
Link connected to:
a Stub Network
(Link ID) Network/subnet number: 10.1.124.0
(Link Data) Network Mask: 255.255.255.0
Number of TOS metrics: 0
TOS 0 Metrics: 64
From the above you can see that for the
link to 10.1.4.1 two lsa’s are generated describing the link to the other
router and the network itself as a stub network. One more point, you may not be
aware that there are several types of “TYPE 1 LSA’s” here’s a handy reference
table for them:
LSA Type 1 (Router LSA)
|
||
Link Type
|
Description
|
Link ID Field contents
|
1
|
Point to point link to another router
|
Neighboring routers id
|
2
|
Link to a transit area
|
DR’s interface address
|
3
|
Link to a stub network
|
Network/Subnet number
|
4
|
Virtual Link
|
Neighboring router ID
|
I
like to think of it this way, if you have only one choice of where you enter
and where you leave the network and no election is held then ospf describes it
as a stub. If there is an election held
and there are multiple exits (shared subnet) then it is described as a transit
network.
This is an important concept to grasp, talking with
others who are studying ospf they get really confused when there links don’t
tally up, so keep that in your head point-to-point links take two LSA’s to
describe them and the number of physical links do not equal the number of LSA
link counts.
Access List Notes
Wouldn’t
it be nice if all of the information that flows through your network could be
controlled? Wouldn’t it be nice if you
could look into the heart of the information flowing around your network and
decide where that information was allowed to go? With Cisco routers you can, and this control
is accomplished with Access Lists.
Access Lists are used to identify what traffic can pass through a router
and better yet they can differentiate data not only on where it’s coming from
or going to, they can also differentiate on the protocol being used.
What Is An Access List
An
access list is similar to the old basic programs for early computers. It is a sequential list of statements that
the router reads from top to bottom, each statement being an instruction to the
router in how to process traffic coming into or leaving a particular port. In use access lists can be thought of a
doorman who decides who can enter and leave the building.
Why Do You Need Access Lists
The control
that access lists give you is all very well, but why would you want this
control on your network? Well there are
a variety of reasons:
·
Managing traffic
·
Maximising Bandwidth Potential
·
Security
Managing Traffic
When
the first networks were linked there was not a great deal of traffic between
them, however as networks grew in size and complexity they also began to
generate more and more traffic. This
growth is mirrored in many organisations today who start out with a single LAN
environment and then the company expands and these LAN’s become linked. Pretty soon the traffic between these sites
becomes unmanageable. Access lists can
be the first step in controlling the flow of data between sites and managing
the variety of traffic between them.
Another way in which they manage traffic is in temporary links between
sites such as an ISDN router that is only used to provide DDR (Dial On Demand
Routing) communication on an ad hoc basis. You can set an access list up so
that only meant to cross over the connection is deemed “Interesting” enough to
cause the router to dial up and establish the temporary link.
Maximising Bandwidth Potential
The
cost of communication over a WAN is still relatively expensive, even for larger
companies. This cost is directly related
to the bandwidth used on those links, with many telecommunication companies
giving a fairly heavy premium if a company exceeds their bandwidth quota. Access lists help you maximise your bandwidth
potential by managing your traffic, thereby limiting unnecessary traffic on
your wan links and saving your company money.
Security
Although
not their prime or intended function access lists can also be used as a
security measure. Imagine you have a
sensitive research facility that needs to be able to communicate with other
parts of the network that may not be so secure.
With access lists you can prevent any traffic going into the facility
but not traffic going out, you can even differentiate between traffic that has
been initiated from within the sensitive area.
Numbered IP Access List Types
There
are two types of access lists Standard and Extended. They can be defined by the way in which they
identify traffic.
Standard IP Access Lists – (1 – 99)
Standard IP Access Lists can be used to permit or deny
traffic based on the source address of the traffic. They can only permit or deny traffic on a
range of addresses and therefore block all traffic for that protocol
suite. Although limited in function,
standard access lists are still useful for situations requiring no granularity
in the control of a particular protocol suite.
Standard IP Access List Command Format
Router(config)# access-list [number] [permit/deny] [source] [mask]
Parameters
·
[access-list] – primary command
·
[number] – specifies standard access list number
in the range 1-99
·
[permit/deny] – specifies whether entry permits
or denies against listed condition
·
[source] – source ip-address of the traffic
·
[source mask] – identifies which bits in the
address field will be checked
Standard IP Access List Example:
The following example will only allow traffic from the
subnet 192.168.0.0 out of ports S
0/0 and S 0/1.
Birmingham(config)# access-list 10 permit 192.168.7.0
0.0.255.255
Birmingham(config)# Int S 0/0
Birmingham(config-if)# ip access-group 10 out
Birmingham(config-if)int s 0/1
Birmingham(config-if)# ip access-group 10 out
Extended IP Access Lists – (100 – 199)
Extended Access Lists can be used to permit or deny traffic
bases on not only the source address but also the destination address: protocol
type and port number. This gives much
greater control and granularity when specifying what traffic can pass through a
router. Although more powerful than
Standard Access Lists, care should be taken when using them as it is very easy
to find yourself blocking traffic that should otherwise be let through.
Wild Card Bits:
Being able to specify a single address is great for
granularity and fine control over the traffic on your network but it can soon
become tedious if you have to write an access list permit or deny statement for
every single address on your network.
This is where wild card bits come in handy, they allow you to specify a
range of addresses or even an entire subnet.
To understand wildcard bits you need to delve back into the
realm of binary.
Lets examine the following subnet id
192.168.7.0 = 11000000.10101000.00000111.00000000
If we wanted to match only certain bits we would have to
mask them off and we mask them off by putting a 0, if we wish to ignore a bit
for matching purposes we would use a 1.
If we wanted to specify traffic only from subnet 192.168.7.0
we would use the following wildcard mask.
IP Address 11000000.10101000.00000111.00000000
Wild Card Mask 00000000.00000000.00000000.11111111
Must
Match Must Match Must Match Any Combination
Wild Card Mask 0
. 0 .
0 . 255
Keywords for wildcard masks:
Any = 0.0.0.0
0.0.0.0 (check all bits on all subnet
ID’s)
Host = when this
precedes an ip address it indicates all bits should be checked for
example: 172.30.16.29 0.0.0.0 can be
replaced with host 172.30.16.29
Note* depending on whether you use a permit or deny
statement you may be allowing traffic to a range of ip addresses or allowing
traffic from a range.
Extended IP Access List Command Format:
router(config)# access-list [number] [permit/deny]
[protocol] [source] [source mask] [operator] [port] [destination] [destination
wildcard] [operator] [port] [established] [log]
Parameters
·
access-list – primary command
·
[number] – specifies extended access list number
in the range 100 – 199
·
[permit/deny] - specifies whether entry permits
or denies against listed condition
·
[protocol] – specifies the protocol to be
permitted or denied
·
[source] – identifies the source ip address of
the traffic
·
[source mask] – specifies the wildcard bits to
use against the traffic source
·
[operator] – specifies a logical operator to be
tested against the port number (see table)
·
[port] – specifies the port number
·
[destination] - identifies the destination ip
address of the traffic
·
[destination mask] – identifies the wildcard
bits to use against the destination ip address
·
[established] – allows traffic to bypass access
lift if it has the ack bit set indicating that the session is already
established.
·
[log] – sends a message to the console
Table Of Port Numbers and Operators Used With Extended Access Lists:
There are many port numbers, the ones listed here are
commonly used ones along with the operators that may be used in conjunction
with them.
Port Number
|
Protocol
|
|
20
|
FTP – Data
|
TCP
|
21
|
FTP – Control
|
TCP
|
23
|
Telnet
|
TCP
|
25
|
SMTP
|
TCP
|
53
|
DNS
|
TCP/UDP
|
69
|
TFTP
|
UDP
|
80
|
HTTP
|
TCP
|
Operator
|
Meaning
|
|
lt
|
Port numbers less than specified port
|
|
gt
|
Port numbers greater than specified port
|
|
eq
|
Port number specified
|
|
neq
|
Port numbers other than the specifed port
|
Extended IP Access List Example:
The following access list will deny all telnet traffic from
network 192.168.7.0 out of interface s 0/1.
Router(config)# access list 111
deny tcp 192.168.7.0 0.0.0.255 any eq 23
Router(config)#access list 111 permit ip any any
Router(config-if)# ip access-group 111 out
Note* the any
keyword is a short way of saying all ip addresses and all subnet masks
Named Access Lists
If your router is using Cisco IOS 11.2 or later you can use
named access lists. These access lists
allow you associate a standard or extended access list with a name. This has the advantages of allowing you to
easily remember your access lists and it also allows you to delete individual
entries from an access list without having to re-enter the entire access list.
Like numbered access lists, named access lists can be
standard or extended and follow the same filtering rules as their numbered
counterparts. There are no particular
naming conventions attached to access lists however you do have the option to
chose either a name or a number. If you
chose a number the same rules will apply as if creating a named access list
your just using the same number ranges you did with numbered access lists!!
Confusing!!!
The ip access-list command:
ip access-list
[standard/extended] [number/name]
EX:
R1(config)# ip
access-list standard 35 “this is a numbered example but a name
could be used”
R1(config-std-nacl)#permit 45.2.3.0 0.0.0.255
R1(config-std-nacl)#permit 45.2.4.0 0.0.0.255
Editing Access Lists:
It is possible to edit both numbered and named access lists,
as long as they were created with the “ip access-list” command and not the
“access-list” command.
In order to edit or remove an access-list statement in
either a numbered or named access list you must first show the access list with
the “show ip access-list” command. Then
you have a choice, to edit the statement simply reference the access-list
statement by line number in the access-list sub configuration mode, or to
delete an entire line simply ad the no statement in front of that statement and
number. To add an additional statement
between two other statements simply insert a new number between them.
Inbound Or Outbound Mode
Access lists are no good unless they are applied to a
specific interface. When you apply an
access list you can apply it in one of two modes: inbound or outbound.
Inbound Access Lists
Inbound access lists apply to traffic coming into the
router. Inbound access lists are more
efficient because the traffic is tested against an access list before being
routed to an outbound interface.
Outbound Access Lists
Outbound
access lists apply to traffic leaving the router. Outbound Access Lists are less efficient
because they require the overhead of internally routing the traffic before it is
checked against an access list.
Applying An Access List:
For an access list to work you need to apply it to an
interface as either an outbound or inbound access list. The command for doing this is as follows:
Router(config-if)# [ip] [access-group] [number] [in/out]
·
[ip] – indicates an ip access list.
·
[access-group] indicates a group of statements
with a common access list number.
·
[in/out] – indicates whether the access list is
applied to inbound or outbound traffic.
Applying Access Lists to VTY Lines:
You can also use standard access lists to limit access to
VTY lines. For example:
router(config)#access-list 4 permit 172.16.35.4
router(config)#line vty 0 4
router(config)#access-class 4 in
Access List Rules and Regulations:
·
Access lists are parsed top to bottom and if a
packet matches against a criteria it is forwarded so it is imperative that a
deny statement meant for a particular packet type is put before any permit
statement that would pass it – a good rule of thumb is to place all of your
deny statements at the top of your access list and all of your permit
statements at the bottom.
·
The access list contains an implicit deny all –
this means that if a packet does not match any of the criteria you have set it
will be discarded automatically. This
can cause you serious problems if you place an access list denying traffic on a
remote router only to find you have locked yourself out.
·
Place the most frequent test criteria at the top
of your access list, this will save on processing overhead making your list
more efficient.
·
Check your access list before entering it, you
cannot go back and delete or add a line, to change it you will have to delete
it and re-enter the entire list. The
exception to this rule is a named access list, which allows you to delete a
line.
·
When placing extended access lists place them
close to the source
·
When placing standard access lists place them
close to the destination
·
Only one access list per interface is allowed
Other IP Access List Commands:
To remove an IP access list you use the following command in
global configuration mode:
[no] [access-list] [number]
Parameters:
·
[no] indicates the following is not required any
longer
·
[access-list] specifies an access-list
·
[number] specifies the access-list number
To remove an IP access list from an interface use the
following command in interface configuration mode:
no ip access-group [number] [in/out]
To verify access list operations the following commands are
useful:
router# show ip interface
The output from this command will show what access lists are
configured against one or more interfaces.
router# show access-lists
The output from this command will list all access lists
configured on the router or only the list specified if you add an access list
number.
Access Lists and Debugging:
It is possible to combine an access list and debug
commands. Why would you want to do
this? Imagine a scenario where you want
to examine packets flowing between hosts, create an access list that finds this
flow interesting and then issue the following command:
router#debug ip packet X [detail]
- X = access list you are referencing
- Detail = keyword to provide detailed logging information
Caution: debug
commands take resources and can bring a system to a halt so be selective and
turn off when needed.
Subscribe to:
Posts (Atom)