Sunday, December 29, 2013

Cisco CUCM: The new Location model in CUCM 8 and above

Hi Guys!

Been ages since I have done a post on VOIP stuff for you guys, I am going to talk about the new locations in CUCM 8 and above in this blog post.

Just a quick refresher: Locations in CUCM are a form of Call Admission Control (CAC) that is  used in CUCM to protect VOIP traffic from itself, sounds funny right? Let's see how it's applicable.

Let's say you have a 512kbps location, and you dedicate let's say 128 kilobits of that to VOIP calls, this is a simple example, that might not be the right amount, you need to take into account IP Overhead, etc. etc. But for our purposes let's use this example.

OK, So how do we normally QoS our VOIP Calls? We Prioritze them right? We use the priority keyword: priority 128 or something to that effect  in our QoS behaviour.

So now we are guaranteeing that VOIP traffic will be put to the front of the queue in times of congestion and will get highest priority. What we are ALSO doing, is not allowing that traffic during times of congestion to get MORE than 128kilobits per second, So not only are we prioritizing, we are policing as well. Remember this is ONLY during times of congestion: if the link is not congested, we can run as much VOIP traffic as we like.

So, let's say we have two calls to this location, two calls, G.711 we are getting 64kilobits per second for each call so a total of 128, even if this link gets congested: no problem,  we have our priority queue taking care of it. But suppose a third call is attempted while this link is congested: Now we have three calls, totalling 192 kilobits per second of bandwidth fighting for 128 kilobits of available bandwidth and being policed down so dropping packets indiscrimentley, leading not only to a bad quality voice call for the new VOIP caller but for all VOIP callers!

So now you understand the purpose of CAC. Let's talk quickly about the methods we can use to control it.

First of all, a standards-based protocol to deal with this problem, called RSVP, was created. This protocol uses a reservation system (Hence RSVP) to reserve bandwidth on a link at the time of call. RSVP has the main advantage of being dynamic: meaning it responds to changes in the network topology such as links going up or down to determine bandwidth, if implemented properly RSVP works quite well, the main issue with RSVP is that it is quite complicated to setup. So a simpler method was created within CUCM called locations.

Locations are configured per-site in CUCM by specifying the maximum amount of bandwidth allowed for that location, calls that would exceed this total are denied and are redirected using AAR (Automatic Alternative Routing) which uses a local PSTN breakout to complete the call.


The problem with locations is the exact opposite of RSVP: It is static, meaning it can't take into account changes in the topology.

These two methods of performing CAC are known as "Topology Aware" (RSVP) and "Topology Unaware" (Locations)


CUCM 8 and 9 introduced a few methods to get around this problem, and that will be the focus of our article.


Location Basics

When you first login to CUCM 8 and above you will notice three default locations that will already exist, it's important that we go through each of them.


Hub_None - This location has been around for a while and is basically a location with unlimited bandwidth for audio and video. No Restrictions are made with this location. This is the default and you will also notice that if you are creating a new phone etc, this hub_none location is selected by default, so does that mean your phone will use this location instead of that in the device pool? NO! The hub_none location is only used on a phone if a device pool location is not specified so keep that in mind.


Shadow - The shadow location is a new location created as part of Enhanced Location CAC (more on this later) and is only used on the SIP intercluster trunks that you configure when doing intercluster CUCM. If you where to assign this to anything other than a intercluster SIP Link, the location is ignored and the device treated as if it was in the hub_none location.

Phantom - This location is used for intercluster trunks. This location is set on InterCluster Trunks and allows the calling and called party to exchange an Information Element (IE) reflecting their own location. This helps with a hairpin situation.

Let's say you have Phone A and Phone B in one Cluster, Cluster A, which is attached to Cluster B. For some reason your call routing is configured so that the call goes from Phone A to Phone B Via the Intercluster Trunk, This would mean that you would reduce bandwidth twice: 1 for the inbound call and one for the outbound call to those locations even though Phone A and Phone B are in the same location! The Phantom Location allows you to have the real location transferred as part of the call and therefore the correct amount of bandwidth will be removed from the locations.

So the only one of the locations we might use in a single cluster environment as per the above is the hub_none location. Phantom and Shadow are useful for inter-cluster situations.

Let's continue to look at locations.

The screenshow below shows the settings we have to add a location:

 

Let's go through each of the options.

First of all we can specify the amount of bandwidth to other locations, the Audio Bandwidth controls the maximum bandwidth for all audio calls, video for video calls and finally Immersive Video Bandwidth is used for most telepresence endpoints to have their CAC bandwidth treated diffierently to standard video. An endpoint can not be configured to either use immersive video or normal video locations but rather this is a fixed configuration decided by Cisco as they release endpoints (Does the endpoint qualify as "Immersive" Is entirely up to them)






Tuesday, December 24, 2013

CCIE Rants Christmas Special: SSH Keys with IOS Routers

Hi Guys

Recently got myself a Mac Book Pro Retina, Most things I like, some things annoy me. The things I like are normally related to the underlying Unix in the OS, including SSH.

If your anything like me 99 percent of the time you log into routers etc you use a username and password, but Linux guru's (like my friend at www.sysadminblog.net)  have long been using SSH keys to create secure connections to there linux servers without having to enter a password every time.

We can do the exact same thing on IOS routers and it's relatively straightforward.

First, I will show you how to generate a ssh key in Mac OS X, I am sure that this process can be done with Putty, and in fact I think there is a putty program specifically geared for this exact reason called puttygen.

I will show the Mac-OS X commands, should be easy enough to figure it out for windows as i mentioned above.

OK, so first of all you need to generate the key, this is quite straightforward:

On your mac terminal, simply enter ssh-keygen and you can then accept most of the defaults, you will want to make sure you back up the private key somewhere (you can always regenerate the public key)

The Passphase is highly recommended: This means that if someone gets a copy of your private key they will still need this password, it also means that you will run a special bit of software called a "SSH Agent" that, when you first use the private key will prompt you for the pass phase to use it, it will only do this once per desktop login session (so if you shut your mac down or log out, next time you SSH in to a host your using SSH key authentication you will need to enter this key phase, but after that you won't have to enter that pass phase again. So pick something secure!


So, as per below enter the ssh-keygen command, choose a path to store the key, enter a pass phase.

Peters-MacBook-Pro:~ peterrevill$ ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/peterrevill/.ssh/id_rsa)
Created directory '/Users/peterrevill/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/peterrevill/.ssh/id_rsa.
Your public key has been saved in /Users/peterrevill/.ssh/id_rsa.pub.
The key fingerprint is:

5b:11:d1:1d:2f:a6:2a:13:b3:09:6c:cd:f8:60:34:0c peterrevill@Peters-MacBook-Pro.local

OK next, cd to the directory and look at your new public key.

Peters-MacBook-Pro:.ssh peterrevill$ cd /Users/peterrevill/.ssh
Peters-MacBook-Pro:.ssh peterrevill$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDrjoyJeKI/zqt446ntMihqzuHJV9F1Nh9pE+NiZS4khlWl2epnrxGvPIHEfF/P12OsCRMmHUggY1AmKxiQH/styVIGn+FC5y/GWlPwZe7ZDPMUDeoJJCOP5TZWQoIBnF2S+07rKTxlBxtm2BTlJzx+IteQHwA+G/hWLtQL24nWO3/g/urrttD5mTgncHPtTNkc4CiVrr3Av64eO3QlU8ZuGYYFBTrL4nuYHIIywtHT91UAFokB/oddk7vFwwbIpjddkmAvnkUlxHR0719CfxAXjFRVQmCqiVy9ewosUhDZiBXm/NJWvi0CXl/ZVWlsYAqg0CpZ4s5u+V5E0R6/MnKv peterrevill@Peters-MacBook-Pro.local


We need to paste the output of our cat command into the router, so at this point it's time to login to the router. It should be obvious you need SSH enabled, and you will want SSH version 2.

Now, the thing about this process that I have found, is that if you have a user who already has a password, even if your using SSH keys it prompts you for the password, there may be a way to resolve this but not that your humble friend (Me!) could find. So if anyone does know a way to stop this behaviour and allow people to login with EITHER SSH key OR password but not both please post it in the comments :). 

So, to account for this we make a new user and we don't assign them a password, we do assign them privilege 15 though so that the enable password does not have to be entered. Once you have entered the final command key-string come back to this page before continuing.

Issue the following commands:


HomeRouter2921(config)#username test privilege 15
HomeRouter2921(config)#ip ssh pubkey-chain 
HomeRouter2921(conf-ssh-pubkey)#username test
HomeRouter2921(conf-ssh-pubkey-user)#key-string 
HomeRouter2921(conf-ssh-pubkey-user)#




At this point your ready to enter the key, now unfortunately IOS has a limit per line of 250 characters, so you will need to copy 250 characters at a time and go from one line to the next, being careful not to miss any characters whatsoever. (Why they can't make this like the certificate enrolment process where you paste everything in in one go i have no idea!)

It will probably look a little something like this:

HomeRouter2921(conf-ssh-pubkey-data)#$BAAABAQDrjoyJeKI/zqt446ntMihqzuHJV9F1  
HomeRouter2921(conf-ssh-pubkey-data)#$07rKTxlBxtm2BTlJzx+IteQHwA+G/hWLt        
HomeRouter2921(conf-ssh-pubkey-data)#$Wvi0CXl/ZVWlsYAqg0CpZ4s5u+V5E0R6/MnKv  
HomeRouter2921(conf-ssh-pubkey-data)#peterrevill@Peters-MacBook-Pro.local


The start of the key will show: ssh-rsa, you have to copy this in and copy the plaintext bit at the end as this is the description.

Once this is done, you are ready to test it out! That easy hey?

Go to a terminal in Mac OS X and issue the ssh command, we will put the -v flag this time so you can see the process but afterwards you can do away with the -v and just use ssh test@10.0.0.3 

If you assigned a pass-phase to your private key (which you should have done), you will now be prompted by Mac-OS-X itself to enter the pass phase for the private key, after that you should not have to enter this pass phase again until turn off your mac, even subsequent SSH sessions with OTHER routers will be fine.


Peters-MacBook-Pro:.ssh peterrevill$ ssh -v test@10.0.0.3
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 10.0.0.3 [10.0.0.3] port 22.
debug1: Connection established.
debug1: identity file /Users/peterrevill/.ssh/id_rsa type 1
debug1: identity file /Users/peterrevill/.ssh/id_rsa-cert type -1
debug1: identity file /Users/peterrevill/.ssh/id_dsa type -1
debug1: identity file /Users/peterrevill/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024 p="" sent="">
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 32:a3:4b:36:88:94:fc:c0:b4:17:06:b1:21:c4:c1:2f
debug1: Host '10.0.0.3' is known and matches the RSA host key.
debug1: Found key in /Users/peterrevill/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received


The above output shows you that we sent a key to the router and it accepted it, and then we get on with the rest of the process...

debug1: Authentications that can continue: publickey,keyboard-interactive,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/peterrevill/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (public key).



Authenticated to 10.0.0.3 ([10.0.0.3]:22).

We have successfully authenticated!


HomeRouter2921#


We are now logged into the router and ready to start configuring!


That about wraps it up for me until the end of the year I believe, and I also reckon i won't be doing any blog posts until some time in February as I am about to go on my Holiday/Snowboarding Trip to Japan! If your going to be in Myoko Kogen between 11th of Jan to 15th of Feb or you will be at Hakuba for some of Feb Send me an email! :) Peter@peterrevill.com

I want to thank everyone for there continued support, my friends and family and everyone who has been really positive about this blog, I have found it very rewarding to be able to help people and quite a few people whom i have not met have told me hey I know you i read your blog. Really nice Feeling!

Enjoy your Christmas Holidays!








Wednesday, December 11, 2013

Anyconnect SSLVPN

Finally! I found a definitive guide on how to install a 3rd party cert easily:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml

Saturday, December 7, 2013

UCS emulator troubleshooting tips

Hi Guys!

Found a great site with some UCS emulator troubleshoooting tips that you might find helpful!

http://www.acumen-corp.com/Blog/tabid/298/entryid/67/Troubleshooting-Cisco-UCS-Platform-Emulator-UCSPE.aspx

Tuesday, November 26, 2013

802.11 AC and the Cisco AC Module for 3600 Access Points

Hi Guys

This blog post is about the Cisco 3600 access point, the 802.11 AC Module (wave 1) available for that access point and finally the software called "chanalyzer" available to help you with detecting interference and leveraging your Cisco Cleanair access points.

So Incase you where not aware, Cisco have had some access points out now for quite some time called the Cisco 3600 Access Points:

The picture above shows them in all there glory, along with the 802.11 AC Module.

The 802.11 AC module is I believe, an industry first in that your existing 802.11N access points (the 3600's) can be field upgraded to 802.11AC.

The module simply plugs into the back of the AP, as shown in the following pictures:








As you can see, it's quite straight forward! Simply place the module into the slot shown on the AP and then tighten the finger-tight screws


- If 802.11 Ac can offer "gigabit wifi", and its maximum theoretical speed is 1.3 Gigabits per second, don't I need more than 1 gigabit connection from the AP to the switch?

No! 1.3 Gigabit is the maximum theoretical PHYSICAL speed of the radio media, the actual throughput onto the LAN will be less, quite a bit less as we will see.


- Does the 802.11 AC Module require more power?


Yes, you need to make sure your switch supports POE+, the output below shows the wattage required for a 1142 vs the 3602 with the 802.11 AC Module:



homeSwitch3750#show power inline

Module   Available     Used     Remaining
          (Watts)     (Watts)    (Watts)
------   ---------   --------   ---------
1           480.0       35.4       444.6
Interface Admin  Oper       Power   Device              Class Max
                            (Watts)                           
--------- ------ ---------- ------- ------------------- ----- ----
Gi1/0/5   auto   on         20.0    AIR-CAP3602I-N-K9   4     30.0
Gi1/0/18  auto   on         15.4    AIR-LAP1142N-N-K9   3     30.0



- Is it really just plug and play?

Yes! Simply turn the AP off, plug the module in, turn it back on and make sure your running WLC Code of version 7.5 or later, then enable 802.11 AC in the controller.

What kind of speed can we really get from 802.11AC?

I tested with the following equipment:


ASUS PCE-66 802.11 AC Wireless Card
Windows 7
IPERF
Cisco 3600 Access Point
 Laptop connected to gigabit network.

The enviroment was a home setup with quite a bit of wireless interference.

The first step was to establish a gigabit ethernet (wired) benchmark, which resulted in:

722 Megabits per second

The following tests where undertaken:



802.11AC (5.0ghz only, 80 Mhz)
5.0Ghz, TCP, Close Average Speed: 166 Mbits/Sec
5.0Ghz, TCP, 1 Room away Speed:  102 Mbits/Sec





As you can see, it's not even in the same ballpark as what we can get for wired, but it's a significant improvement over 802.11N:


802.11n (5.0Ghz. 40MHZ)
5.0 GHZ TCP Close average speed: 108 Mbits per Second
5.0 GHZ TCP, 1 Room Away Speed: 69.3 Mbits Per Second


802.11n (2.4 GHZ)
2.4 GHZ TCP, Close Average Speed: 71.1 Mbits Per Second
2.4 GHZ, TCP, 1 Room Away Speed:, 50.1 Mbits Per Second

The results above show that 802.11 AC could potentially be a worthwhile improvement, but is certainly not the gigabit wifi we have been led to believe it could be.

The speeds, as rough as they are closely match those achieved by Tom's Hardware:
http://www.tomshardware.com/reviews/wi-fi-802.11ac-router,3386-11.html














Chanalyzer

I discovered Chanalyzer at a customers site and wanted to share it with you guys, it' s an exceptionally useful tool when combined with Cisco Clean Air

http://www.metageek.net/products/wi-spy/
 

The software can be used to connect to a Cisco Access Point running clean air to retrieve spectrum information in real-time!



The above screen looks quite busy but is essentially showing interfering  devices, in this case an xbox controller. This real-time analysis can really help you realize what might be affecting the network.




After dowloading Chanalyzer, you will need to connect to the AP:


The NSI key stands for "network spectrum interface key" and can be found on the WLC Access point page:






This can be very useful for troubleshooting Clean Air Problems.



I hope you enjoyed this blog!


Incidentally, this is my first blog post as a Cisco Data Center Champion, an honor I was recently bestowed by Cisco. Hopefully I can live up to the name!



Thursday, November 7, 2013

isdn sending-complete

This command prevents h.323 dialling delays


Quick blog post guys just so i remmeber myself

Monday, October 28, 2013

Quick and easy way to get around the CIsco UCS - Login Error: java.io.IOException: Invalid Http response Login Error: java.io.IOException: Server returned HTTP response code: 400 for URL: http://x.x.x.x:443/nuova

Hey Guys!


You might have experienced the exceptionally annoying error with Cisco UCS and the latest update to Java (and apparently the fault is a java programming fault not Cisco UCS) where after trying to login to Cisco UCS you get the following error:

Login Error: java.io.IOException: Invalid Http response
Login Error: java.io.IOException: Server returned HTTP response code: 400 for URL: http://x.x.x.x:443/nuova


Here is a quick and easy work-around to enable HTTP via the SSH command shell, you can then HTTP into the device instead of HTTPS and at least that will get you on there quickly instead of having to stuff around with Java,

naturally I would recommend disabling HTTP since everything is transmitted in clear text once the issue is resolved

UCS# scope system 
UCS /system # scope services 
UCS /system/services # enable http 
UCS /system/services # disable http-redirect 
Warning: When committed, this closes all the web sessions. 
UCS /system/services* # commit

Monday, October 7, 2013

CCIE DC: How I passed the CCIE DC

Hi Guys!

As per the subject i passed my CCIE DC and in this blog post I will describe the process that worked for me. What worked for me might not work for you! So keep that in mind.

OK I am going to assume in this post you have already passed the CCIE DC Written and are looking at the lab.

There are several aspects to the CCIE DC Lab that are worth considering, the first is: Lab Rack availability, at the moment at least, is quite sparse, until this situation improves, I recommend at the beginning of your studies for the lab (and assuming you studied hard for the written) I would say make a lab booking within 4 to 6 months from when your ready to knuckle down and start studying hard.

The other aspect is Rack Rental availability from Vendors such as INE and IPExpert is also quite tight at the moment., which makes things difficult, in this blog post we will go through some of the stratergys to help with that situation.

Before I start getting too much into depth, let me take a quick chance to address the "Big two" of vendor training, INE and IP Expert.

I am absolutely not a fanboy by any strech of the imagination: I will use products from either vendor to achieve my goal. I just want to pass, each company has pro's and con's and by combining both, your more likely to get a nice mix. Don't dismiss other options such as traditional training from Cisco Vendor Partners like Firefly, Fastlane etc. It was through a firefly Course that I met a very good friend of Mine Adriaan Steyn,Believe me when i tell you he taught me PLENTY of great info about the Nexus line of switches, I also did a UCS Course with Housley Communications and that too was great training.

Good training, like good products is not restricted to a certain vendor: You might love Sony Headphones but hate Sony TV's for example, don't restrict yourself to a "Oh my training partner is XYZ", That is dumb.  Combine all the training you can, learn from whoever you can.

(Full Disclosure: I am likely to be doing training material for a training vendor at some point in the future.)

OK let's start talking about the study method I used.

First of all, You need to learn the protocols and topics on the blueprint, that much should be obvious, to study, i hand write all my notes, i always hand write my notes, never type: your brain is wired through thousands of years of evolution to hand write, you absorb the information more readily than typing, it is too easy when typing notes to just type and not really think about what it is your typing (especially if like me you can touch type). Hand writing forces you to slow down and the fact that you have to write it, means invariably you will reword it to make it shorter to write, meaning you will understand it better. Plus it's much much easier to draw a network engineers favorite tool: a diagram.


So, I got a book, I printed a copy of the blueprint out and stuck it on the inside of the book and started watching the INE video's, I went through every single one, hand writing notes as I went along. I started with the topic that most interested me and was newest to me, storage. (Incidentally, many idiots will tell you that storage is not a big part of the CCIE DC: They are wrong, it's a huge part, so many things depend on storage that if you don't know it backwards you will not pass)

Starting on a new topic got me enthusiastic and gave me interest I needed to stay motivated.

I then bought myself two Cisco MDS 9216i Switches, I cannot recommend this enough, you SHOULD buy these switches for your own home lab, they are about 500 bucks on ebay (I am selling mine if anyone is interseted, contact me peter@peterrevill.com), I am honestly not just pimping them because I am selling mine: it's INCREDIBLY useful to be able to test the storage stuff in a limited fashion in your own home, and for such a low price this is one of the few things in CCIE DC you can play with yourself. Be warned: they are VERY noisy. Make sure you get ones with Generation 2 modules, Generation 1 modules CANNOT do certain types of port channels and it can become very frustarting.

So now I was watching the INE Storage videos, taking notes, then testing on my home lab equipment what I could, certain topics like FCoE I couldn't test so at that point I would do rack rentals from either IPexpert or INE: Both of them have there pro's and con's, with IPExpert you get access to a FULL lab of the ENTIRE CCIE DC, _but_ the availability is quite low at the moment, with INE (and this may have changed, you would be best off asking them), you don't have access to the whole N7k yourself so you can't make your own VDC's for example, and you can't create a storage VDC, I also _BELIEVE_ that the current N5k is a 5010 or 5020 and not a 5548 which also limits some of the things you can do. You can still do a HECK of a lot with the 5020's, but if your desperate to make sure you have the exact same equipment as the DC Lab then you will want to get yourself some IPExpert time.

Speaking of the rack rental systems, I must say; the INE rack rental system that you use for booking and organizing etc is _EXCELLENT_. I did make a humble solution for improvement on it but all in all it is excellent, you can tell they have spent a lot of time working on it and it shows.


So now I am busy going through this topic and at this point I have not done any workbooks or labs, just going through the theory, testing it out myself. I started posting on my blog as well as this was going on. I strongly recommend starting a blog: being able to successfully communicate a concept to someone else means that you UNDERSTAND that concept.  Plus you can meet some great people through your blog, and it's a great way to organise your own thoughts and opinions.

So I kept this process up through all the individual topics, UCS, Virtualization, Ace, pretty much all the video's provided by INE I went through and studied each of those topics. Once this was finally done, it was time to start the practice labs.

Each vendor has technology labs and full scale mock labs and both have as I mentioned Pro's and Con's, I can't recommend enough doing both. You will always learn more. Data Centre, being a new topic has a few people with somewhat of a misunderstanding of some topics, this is probably the first CCIE I have ever done where I have _NOT_ been able to take whatever is said in the workbook and solution guide as gospel: the technologies are just too new, for some topics you really do have to study yourself, if the answer is unclear go ahead and check it. Be careful listening to other people, many people out there post flat out wrong answer to questions, the best way and only way in my opinion is to _TEST IT YOURSELF_

Perfect example, During my bootcamp there was a discussion about vPC and what kind of BPDU's vPC would send, which switch (primary and secondary) would send BPDU's and what commands you could do to tweak it, so instead of everyone arguing and trying to show how big there brain was, we said let's do a debug spanning-tree bpdu event or whatever the command is and CHECK.

_VERIFY_, _VERIFY_, VERIFY!

There is SO much misinformation out there that you just HAVE to check for YOURSELF what works and what does not, how the technology works, this is how i try and structure my blog: I theorize how I believe a protocol should work or something should work, then I test my hypothesis, and I humbly submit my findings to you, my blog reader. It's a little thing you might have heard of called the scientific method: Adapt this in your studies, trust nothing, verify it yourself, prove to yourself you have an understanding as to exactly how it works.

To compliment my study regime, I started reading quite a few books, my friend Ron Fuller and David Yansen have a great Cisco Nexus book, for example, in no particular order I read the following books pretty much from cover to cover.

(Full Disclosure: If you buy the books below using the link on my webpage here I get a small percentage of that sale, it does not add any cost to you for the price of the book, I would consider it a favour if you buy the book to please use my links below.)

The first is a Nexus topic book, this was a great great book. There are some very good topics covered very well here and it really complimented the INE videos and helped me fill in the gaps of my knowledge. If you only buy one book for the CCIE DC studies make it this one.



NX-OS and Cisco Nexus Switching: Next-Generation Data Center Architectures (2nd Edition) (Networking Technology)
The second book is a great book on Cisco UCS, It's a little dated at the moment but I believe a second edition is on it's way
Cisco Unified Computing System (UCS) (Data Center): A Complete Reference Guide to the Cisco Data Center Virtualization Server Architecture (Networking Technology)
This book Is also highly recommended in the CCIE DC community, I must confess I have not got a copy myself but everyone who has read it raves about it:
Data Center Virtualization Fundamentals: Understanding Techniques and Designs for Highly Efficient Data Centers with Cisco Nexus, UCS, MDS, and Beyond
The final book I will recommend is a multicast concept book, Multicast is an important part of the CCIE DC and this book is extremely well written, actually kind of funny to be honest, the author is a funny guy and cracks jokes the whole way through, multicast was a mystery to me until i read this book for my CCIE R&S, it is now a tiny bit dated but multicast has not changed all that much so was a great resource for me. Developing IP Multicast Networks, Volume I (paperback)
At this point i was ready to begin discussing my thoughts on protocols with my friends and collegues studying for the same exam (or performing Data-Centre related work out in the field.) This is a crucial step: your friends will challenge your knowledge, if you don't know a topic well and they do, they will unveil this weakness to you: My friends and I did this to great success, we would give each other hairy questions and make friendly wagers on how a particular technology is meant to work, like how does vPC peer-switch actually work.  I confess to losing quite a few of these wagers!


I became active in the CCIE DC Facebook Group which you should definately join if your on this quest, you will get some great questions and tips and tricks for all your Data Centre work in this great little community. Respect the rules and join! (Full Disclosure: I am an admin of this facebook group, but I receive no compensation)

I also became active on twitter and tried my best to help people out there: Good questions can help you understand a technology better, but be careful not to claim you have an answer to a problem if you don't. Try not to mislead people! Too much misinformation out there.


For rack time, A great tool is the Cisco PEC: Use it! Remember, even though they have particular labs, if the equipment matches what your trying to learn your NOT restricted to JUST doing the labs they list in the PEC, the PEC is a valuable resource: use it.

So after I finished up the technology labs and a few mock labs I went on my CCIE Data Centre Bootcamp with Ipexpert, I always do this as my final preperation of study: The bootcamps should be your final step, don't go to a bootcamp as one of your first steps, it will be wasted on you. You can't possibly cram the massive amount of information you need to know and massive topic list into just 2 weeks or a week or however long you have, your bootcamp should be about solidifying everything and making sure you know what's going on. A sign your on the right track is throwing out great tricky questions to your lecturer.

After this I was ready for my first attempt and took it in brussels, while I was quite close, I failed, I was absolutely distraught: I really thought I had nailed it, I finished quite early, my mistake was not reading the questions carefully. I was humbled by the first attempt, it showed me that although I might have most of the technologies understood and I definitely have the speed i did NOT have the careful reading that is required of this CCIE DC exam.

I quickly booked a second attempt and during the time between first attempt and second I just studied my notes again, kept everything fresh as I already had the knowledge I just didn't have the careful reading required of the exam. I managed to pass the second time after being careful.

I hope this helps someone out there, to all my loyal readers and people with kind words: it honestly makes me SMILE from EAR TO EAR when I know that one of my blog posts helped you! I like to help people it's in my nature, I wish you all the luck in the world in your quest to obtain CCIE DC.