One of the first things I repeatedly came across when I was beginning my preparation for the CCIE lab was don’t focus on the commands, having a deep understanding the core technologies is key.

The official CCIE Book List by Cisco is mental, I don’t think its really practical to read through the entire list in any reasonable amount of time. Below is some of the books I have read in my preparations, although I am not suggesting that what was right for me will be right for you, I am also only going to mention hard copy books stuff like the DocCd and RFCs are invaluable aswell.

I started this with a decent enough CCNA/CCNP level of knowledge, from the CCNP track I would recommend
the books from the BSCI and BCMSN as a casual warm up. The smaller portable command guides for BSCI and BCMSN are also quite handy for a quick reference on how to set stuff up, but they are not at CCIE level so don’t plan on using them for long unless you have a temporary brain malfunction.

I also read through a generic non vendor orientated book on networking and would highly recommend it, reading though a non Cisco book really clarified alot of things for me. This is as the book focuses entirely on the technology and protocols and less about a vendors implementation or view of protocols.

Routing TCP/IP, Volume 1 (2nd Edition) – People sometimes refer to this book as the bible of networking, its deep thorough and enjoyable. Doyle and Carroll have done an amazing job on this and its definitely a must read for the core technologies, I personally consider this the best book to read for IGPs.

Routing TCP/IP, Volume II (CCIE Professional Development) – the second volume of Routing TCP/IP focuses on technologies not covered in the original mainly BGP, Multicast, IPv6 and IP Services. I don’t believe its the best book for BGP but it does have alot of detail and is written well although it could do with an update notably in the IPv6 section.

Troubleshooting IP Routing Protocols (CCIE Professional Development Series) – This book is incredible, I don’t know why this wasn’t in my life sooner. When the troubleshooting section came out, I was quite concerned about my methodology. This book as shown me that any routing protocol problem can be solved with the right approach. It has a nice and reasonably brief overview of each routing protocol and then provides systematic processes to solves problems with them, it has flow charts, example problems, show command outputs with the problems, its freaking awesome!

MPLS Fundamentals – although the title has “fundamentals” in it, don’t be tricked into thinking this is a basic level book. It goes from basic knowledge to SP level CCIE stuff in a reasonable short amount of time. Its all good stuff and I particularly enjoyed the section on the background and the false truths about MPLS. I read through chapters 1 to 7 and the chapter on MPLS L3 VPNs, its very well written and I am sure I will be referring to it many times in the future past my CCIE.

Cisco QOS Exam Certification Guide (IP Telephony Self-Study) (2nd Edition)Now this is a good book and it goes into detail in all the right and interesting places, for instance a random fact I found in this book was, the speed of light in a vacuum in 3.0 x 10⁸ m/s, we have all probably come across at some point but the speed of transmission over copper and optical media is generally measured not at the speed of light but 2.1 x10⁸m/s. But please dont get me wrong I had real difficulty reading this as my own personal tastes just find QoS boring, I genuinely couldn’t read more than 20 to 50 pages (if that) while staying awake. The book is well written and a great reference guide I just couldn’t personally read it cover to cover as I don’t enjoy QoS.

CCIE Routing and Switching Exam Certification Guide (4th Edition) – This is the official guide for the written, its designed for the 350-001 written and not so much for lab but it does have most of the topics in a single book. I haven’t read the latest version 4 as of yet.

Books which I am yet to read, but planning to

Developing IP Multicast Networks, Volume I by Beau Williamson – this has been recommended in some other places in regards to multicast, I have heard it could do with a bit of an update but is still very vaulable. I am planning on getting it soon.

Internet Routing Architectures (2nd Edition)
by Wendell Odom, Michael J. Cavanaugh – Another one on my to read list, I have heard this is THE book for BGP, will defiantly be getting this next.

One of the first things I repeatedly came across when I was beginning my preparation for the CCIE lab was don’t focus on the commands, having a deep understanding the core technologies is key.

The official CCIE Book List by Cisco is mental, I don’t think its really practical to read through the entire list in any reasonable amount of time. Below is some of the books I have read in my preparations, although I am not suggesting that what was right for me will be right for you, I am also only going to mention hard copy books stuff like the DocCd and RFCs are invaluable aswell.

I started this with a decent enough CCNA/CCNP level of knowledge, from the CCNP track I would recommend
the books from the BSCI and BCMSN as a casual warm up. The smaller portable command guides for BSCI and BCMSN are also quite handy for a quick reference on how to set stuff up, but they are not at CCIE level so don’t plan on using them for long unless you have a temporary brain malfunction.

I also read through a generic non vendor orientated book on networking and would highly recommend it, reading though a non Cisco book really clarified alot of things for me. This is as the book focuses entirely on the technology and protocols and less about a vendors implementation or view of protocols.

Routing TCP/IP, Volume 1 (2nd Edition) – People sometimes refer to this book as the bible of networking, its deep thorough and enjoyable. Doyle and Carroll have done an amazing job on this and its definitely a must read for the core technologies, I personally consider this the best book to read for IGPs.

Routing TCP/IP, Volume II (CCIE Professional Development) – the second volume of Routing TCP/IP focuses on technologies not covered in the original mainly BGP, Multicast, IPv6 and IP Services. I don’t believe its the best book for BGP but it does have alot of detail and is written well although it could do with an update notably in the IPv6 section.

Troubleshooting IP Routing Protocols (CCIE Professional Development Series) – This book is incredible, I don’t know why this wasn’t in my life sooner. When the troubleshooting section came out, I was quite concerned about my methodology. This book as shown me that any routing protocol problem can be solved with the right approach. It has a nice and reasonably brief overview of each routing protocol and then provides systematic processes to solves problems with them, it has flow charts, example problems, show command outputs with the problems, its freaking awesome!

MPLS Fundamentals – although the title has “fundamentals” in it, don’t be tricked into thinking this is a basic level book. It goes from basic knowledge to SP level CCIE stuff in a reasonable short amount of time. Its all good stuff and I particularly enjoyed the section on the background and the false truths about MPLS. I read through chapters 1 to 7 and the chapter on MPLS L3 VPNs, its very well written and I am sure I will be referring to it many times in the future past my CCIE.

Cisco QOS Exam Certification Guide (IP Telephony Self-Study) (2nd Edition)Now this is a good book and it goes into detail in all the right and interesting places, for instance a random fact I found in this book was, the speed of light in a vacuum in 3.0 x 10⁸ m/s, we have all probably come across at some point but the speed of transmission over copper and optical media is generally measured not at the speed of light but 2.1 x10⁸m/s. But please dont get me wrong I had real difficulty reading this as my own personal tastes just find QoS boring, I genuinely couldn’t read more than 20 to 50 pages (if that) while staying awake. The book is well written and a great reference guide I just couldn’t personally read it cover to cover as I don’t enjoy QoS.

CCIE Routing and Switching Exam Certification Guide (4th Edition) – This is the official guide for the written, its designed for the 350-001 written and not so much for lab but it does have most of the topics in a single book. I haven’t read the latest version 4 as of yet.

Books which I am yet to read, but planning to

Developing IP Multicast Networks, Volume I by Beau Williamson – this has been recommended in some other places in regards to multicast, I have heard it could do with a bit of an update but is still very vaulable. I am planning on getting it soon.

Internet Routing Architectures (2nd Edition)
by Wendell Odom, Michael J. Cavanaugh – Another one on my to read list, I have heard this is THE book for BGP, will defiantly be getting this next.

One of the new topics to the blueprint is zone based firewalls, in my head (and possibly not in reality) its like CBAC with some extra bells and whistles but between virtual zones, I wasn’t particularly hot on the subject but after a review its really not that bad, you have have to follow the key steps.

1. Define your security zones
Firstly choose what security zones you wish to define, you can choose almost any name you like I have just chosen internal and external for my test, there’s no reason why you couldn’t have 3, 4 or more zones if required. There is a default zone called “local” which is for traffic originated/sent to the router as opposed to passing through it. So as far as I am aware if you don’t play around with the local zone it shouldn’t affect traffic your routing protocol traffic, as it does not pass through it. Define the zones with the following commands;

Router(config)#zone security internal
Router(config-sec-zone)#exit
Router(config)#zone security external
Router(config-sec-zone)#exit

2. Assign interfaces to the relevant zones
Under each interface you wish to link to a zone go under the interface and use the following command where the interface is linked to the zone “internal”.

Router(config-if)#zone-member security internal

3. Define your class maps
Split your traffic up into classes and make sure you use “type inspect” option when defining them, the simple one below uses NBAR to classify http packets. I wont explain class or policy maps in much detail as most other candidates should be familiar with them from MQC.

class-map type inspect match-all http
 match protocol http

4. Tie up the class maps in a policy map
Now to define the action for each of the classes defined in the class maps, make sure you use the “inspect” option if you wish to inspect the traffic to allow return traffic. In the example below I have named the policy zonebasedfw.

policy-map type inspect zonebasedfw
 class type inspect http
  inspect
 class class-default
  drop

5. Tie it all together in a zone pair
Finally create a zone pair with your own name I chose “internal-to-external”, define your source and destination zones and the pre defined policy.

zone-pair security internal-to-external source internal destination external
 service-policy type inspect zonebasedfw

Verification
There are 2 handy verification commands which I am aware of, firstly sh zone security as shown below, this indicates which interfaces are linked to which zone;

Router#sh zone security
zone self
  Description: System defined zone

zone internal
  Member Interfaces:
    FastEthernet0/0
    FastEthernet1/0

zone external
  Member Interfaces:
    FastEthernet0/1

And sh zone-pair security which shows the details from the zone pair, notably which policy has been applied in which direction.

Router#sh zone-pair security
Zone-pair name internal-to-external
    Source-Zone internal  Destination-Zone external
    service-policy zonebasedfw

Spoofed packets are a big problem with on the Internet, they are commonly used in DNS amplification attacks, and TCP SYN floods. Unfortunately there is no simple way to totally fix all spoofed packets on the Internet but if service providers implement ingress filtering on their network, it effectively stops such attacks with spoofed source addresses coming from their patch.

The process is actually standardised Best Practice in BCP 38 “Network Ingress Filtering” which all service providers should implement if they have Internet facing services for good karma.

There are a number of ways of implementing ingress filtering, one of the technically simplest is to create ACLs of your customers global address ranges and only allow packets sourced from those ranges to leave your network. Configuration wise Unicast Reverse Path Forwarding (uRPF) is in my opinion the simplest way of managing this and it has a couple of extra features.

uRPF checks incoming unicast packets and validates that a return path exists, there is not much point in forwarding a packet if it doesnt know how to return it right?

There are 2 methods of implementation of uRPF strict and loose. Strict mode is where the source of the packet is reachable via the interface that it came from, this is nice for extra security on the edge of your network but not so good if you have multiple edges towards the Internet eg you peer at multiple IXPs where you might expect asymmetric routing. In such cases loose mode is used which checks that a return route exists in the routing table.

Configuration
The configuration is super simple, after CEF has been enabled just go to the interface you wish to check inbound traffic and use the following command, with the “rx” option for strict mode or “any” for loose mode.

Router(config-if)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received

Verification
Obviously you can check the running config to see if its configured but if your a fan of using other show commands its visible under the sh cef interface and sh ip interface as shown below;

Router#sh cef  interface fastEthernet 0/0 | i RPF
  IP unicast RPF check is enabled

Router# sh ip int fa0/0 | i verify
  IP verify source reachable-via RX

Netflow is a great tool developed by Cisco which is commonly used for bandwidth monitoring & traffic analysis. Its used quite heavily where I work for the detecting and dealing with security related incidents (I talk about it at the last UKNOF meeting here). Although originally developed by Cisco other vendors have support for it under their own product names. And there are standardised versions of it under the name IPFIX.

Like with anything I thoroughly recommend you test this out before rolling it out to your production systems as on high traffic networks it can cause CPU problems in such cases most people change the amount of sampling. If you are worried about this Cisco has produced a white paper on working out the resource utilisation of Netflow.

Configuration

First of all to configure it choose the interfaces you want to monitor and decide if you want to monitor the ingress, egress or both;

Router(config-if)#ip flow ?
egress Enable outbound NetFlow
ingress Enable inbound NetFlow

There are plenty of extra global options available, below is an example of the configuration to capture the packet length, TTL and the MAC addresses.

ip flow-capture packet-length
ip flow-capture ttl
ip flow-capture mac-addresses

Most implementations of Netflow export the data to a remote server for analysis. There are plenty of Netflow analysis software choices. There are 3 versions supported on Cisco routers at present 1, 5 & 9. Version 1 was designed for classful networks and is almost obsolete, Version 5 is designed for IPv4 Unicast flows, and Version 9 is the newest built and can carry BGP Next Hop information, IPv6, Multicast, and MPLS.

Netflow wont export each packets headers as a single packet but it will collect the packet headers together and report them in a single UDP packet via export. In my example at the bottom of this 715 flows have been exported in 48 UDP packets.

ip flow-export version 9
ip flow-export destination 10.10.10.10 555

Another handy option is configuring logging of the top talkers, this is handy if you have a problem with a remote site where they are complain of problems with this enabled you can see the biggest bandwidth hogs in the period of the cache timeout.

ip flow-top-talkers
        top 100
        sort-by bytes
        cache-timeout 3600000
        match protocol tcp

Verification

Most importantly verification its actually working, show ip flow interface below confirms which interfaces are sampling for netflow

Router#sh ip flow interface
Dot11Radio0
  ip flow ingress
  ip flow egress
BVI1
  ip flow ingress
  ip flow egress

If you configured top talkers then show ip flow top-talkers will show you the bandwidth hogs.

Router#sh ip flow top-talkers

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Di0           74.125.165.145  BV1*          10.10.10.100    06 0050 D89F    92K
BV1           10.10.10.100    Local         10.10.10.1      06 D7DC 0017    19K
BV1           10.10.10.100    Di0           74.125.165.145  06 D89F 0050  7381
BV1           10.10.10.100    Di0           209.85.229.138  06 D89E 0050  1466
Di0           209.85.229.138  BV1*          10.10.10.100    06 0050 D89E  1379
5 of 100 top talkers shown. 5 of 9 flows matched.

Finally if you configured netflow export verify it with the show ip flow export command.

Router#sh ip flow export
Flow export v9 is enabled for main cache
  Export source and destination details :
  VRF ID : Default
    Destination(1)  10.10.10.10 (555)
  Version 9 flow records
  715 flows exported in 48 udp datagrams
  0 flows failed due to lack of export packet
  48 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures