A few weeks back I posted about attending training for my CCNP studies.  I had started/stopped studying for the ROUTE exam several times over the past year and was kicking off what I was hoping would be my final attempt at getting some momentum on this exam.  I am very pleased to share that last tuesday I took the ROUTE exam and passed the test with a healthy score.

For the most part the test was fair in the topics covered.  In typical Cisco fashion, I felt like someone who speaks english as a second or third language wrote the exam questions.  I much preferred the simulation questions as there are clear objectives and verifiable results.  Now that I have cleared the hurdle of ROUTE I have already started down the path of SWITCH and I am looking forward to the challenge that lies ahead.

I’m quite excited as this week I will be re-initiating my pursuit of the CCNP route and switch certification.  This is something that I have started a couple times but has been sidelined due to various personal and work related reasons.  I am hoping that this time around I can get some momentum behind me and am happy to be kicking it off with some instructor lead training.  I am typically more of a self-learner (more of necessity rather than desire) but this time around my work is providing for me to attend the ROUTE class at Global Knowledge.

I picked ROUTE first as this is the area I have the least amount of experience in and will most likely take the most effort to achieve.  I was previously responsible for a number of larger campus/metro networks that relied heavily on switching concepts and little on routing.  In fact…when I started at the company everything in the network was controlled with static routes…in 2005…

Moving forward to the current day I am still a bit surprised that I’m here.  When I made the move to my current employer about 9 months ago it was as a  SysAdmin with a focus on Virtualization.  I have never been a “Network Engineer” in the truest sense since I have never had a job exclusively focused on packet manipulation.  My manager knew I had some skills in the area but it took my friend Jeff Fry leaving the organization to even give me the opportunity to do work on the network side of things.  Talk about some large shoes to fill…

I’m hoping the the uninterrupted time, combined with some live instruction, is just what is needed to get me moving towards my CCNP.

This is a short list of the tools that I have been using to study for my Cisco certification exams.  I would love to hear if you have used other tools to effectively study/prepare for certifications.

Cisco Press

This one is a pretty obvious selection as they publish the official exam study guides for all of the Cisco certification exams.  I’m currently reading CCNP Route  but have also gone through ICND1 and ICND2 for my CCNA studies.  One really great thing about Cisco Press is that they have a an eBook deal of the day which often features the Cisco Press certification guides for CCNA and CCNP tests (in many disciplines, not just R&S).  It’s pretty hard to beat picking up a cert guide eBook for $10.  The only thing to watch out for is that some of the discounted eBooks come with DRM that only allows them to be read on a computer and not on a mobile device like an smart phone or tablet.  They have answered this concern by providing watermarked eBooks but you have to verify which version of the material you are purchasing.

Safari Books Online

This resource goes far beyond just studying for certifications and I can’t recommend having a subscription enough.  Safari is an online library of technical manuals/guides containing just about every technology you could think of.  They have different tiers of access that make it accessible for an occasional user like myself to obtain without corporate backing.  They also publish an iPad application that allows you to access the content from your tablet.

iPad

This is a surprisingly convenient tool when studying for certifications.  Having an independent display (on the go) that can house reference material or lab guidelines leaves your primary laptop/computer free for labbing or note taking.  I also use mine quite regularly to read the certification guides when I’m not sitting at a desk or have my laptop handy.  It’s definitely not a necessity but it has many great uses while studying.

Laptop/computer

You need one…period.  These are technical certifications and I imagine they would be pretty hard to pass without some sort of laptop or computer to work on.  If you are going to be doing virtual labbing with a tool like GNS3 then make sure it isn’t weak.  You can never have too much RAM.

GoodReader

If you are going to read any document on the iPad it is an absolute must.  It makes reading large PDF files easy, remembers where you were when you leave the file/app and can sync files from 3rd party storage locations like dropbox.  It’s $5 in the app store and is worth every penny.

Mental Case

Mental Case is a flash card application for the mac, iPhone and iPad.  Greg Ferro from packetpushers had tweeted a recommendation about it so I picked it up for my iPad…well worth it.  You can create your own question sets or use public sets available for download from FlashcardExchange.com and Quizlet.com.  The application tracks which questions you have answered correctly and incorrectly and can revisit questions you got wrong automatically.  This definitely another fantastic app that is well worth the money.

GNS3/Dynamips

GNS3 is an emulated routing environment that supports running Cisco IOS and Juniper JunOS.  It’s a godsend for labbing as you no longer need to have physical equipment in order to learn how to configure software components.  It certainly gives greater flexibility in setting up disparate media/connectivity types without needing a drawer full of interface cards and multple routers sitting in your garage/basement.  Unfortunately, emulating IOS is a grey area when it comes to licensing.  Technically every version of IOS you run should be licensed (which is tied to a piece of hardware) and Cisco does not provide a short term trial or limited version of their software for testing/studying.  Cisco isn’t alone in that as Juniper and the other major network vendors have similar stances on licensing but the reality is that you  don’t need 4 to 6 routers running in your house and drawing power when it can be emulated at far lest cost/aggravation…not to mention the benefits of bringing your lab with you wherever you go.  As far as I know Cisco has not ever pursued any type of punitive action against those using IOS outside of the normal contract for studying purposes (which has to be in the thousands) but you do so at your own risk.

GNS3Vault

If you do choose to go the emulation route this website is a great resource.  Rene Molenaar runs this site which provides labs for the different technologies learned while going through the study guides.  Some labs are better than others but having free access to lab guides can help validate that you’ve learned the material and provide the practice necessary to really commit it to memory.  Additionally there are many videos on YouTube explaining how to complete the lab requirements.

As most of you probably know, I have been studying for my CCNP certification lately. I’m currently working through the EIGRP protocol and one of the topics that keeps coming up (and I continually seem to forget one of the steps for) is EIGRP authentication using key chains. This is just a quick how-to for those who might be in the same spot.


Step 1: Create the key chain

Key chains have three necessary components and two optional componenets. The necessary components are the key chain name, key number and key string (aka password). Optionally you can include an accept-lifetime and a send-lifetime parameter that will dictate which keys on the key chain are used when. Lets get started on the initial configuration…

You’ll need to start in global configuration mode and then enter the following command where <unique_key_chain_name> is any name of your choosing:

key chain <unique_key_chain_name>

You should now be in key chain configuration mode. Create a key with the following command:

key <unique_number>

The number you choose here is important as the sequence of keys play into what keys will be used for particular functions. Assuming that this is a new key chain you will almost always start with key 1. The last step that needs to be accomplished for a functioning key chain is setting the key string. This is essentially the same thing as a shared secret phrase or a password and will need to match the key-strings configured on neighboring routers:

key-string <unique_string>

Of all of the above components the two thing that need to match identically to neighboring devices is the key number and key string. The key chain name is only locally relevant and is not used in the authentication process. So long as the key number and key-string match authentication should work correctly.

So that is all good…we now have a key chain and it is configured with a key and key-string but it doesn’t do us much good until we apply that to something and that brings us to step 2…

 

Step 2: Apply the key chain to an interface

Authentication is configured in interface configuration mode (not router configuration mode as you might expect). Any interface that has authentication configured on it will not form neighbor relationships out that interface unless the neighbor passes the authentication process. To apply key chain authentication on an interface you must issue the following two commands in interface configuration mode:

ip authentication mode eigrp <ASN> md5
ip authentication key-chain eigrp <ASN> <unique_key_chain_name>

**Note: While configuring authentication, if a neighbor relationship already exists it will be torn down when the first of these two commands is issued on an interface. The neighbor relationship will only re-establish itself when authentication is removed from the interface or the neighbor is configured with a complementary authentication scheme.**

So that’s it for the basics of how to configure EIGRP authentication for neighbor relationships. Let’s take a look at the entire configuration start to finish and then cover some additional configuration items as well as some of the caveats of how the authentication works:

R1>en
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#key chain JKM
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string jordanmartin.net
R1(config-keychain-key)#int fa0/0
R1(config-if)#ip authentication mode eigrp 61 md5
R1(config-if)#
*Mar 1 00:30:49.987: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 61: Neighbor 192.168.1.2 (FastEthernet0/0) is down: authentication mode changed
R1(config-if)#ip authentication key-chain eigrp 61 JKM

R2>en
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#key chain HEM
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string jordanmartin.net
R2(config-keychain-key)#int fa0/0
R2(config-if)#ip authentication mode eigrp 61 md5
R2(config-if)#ip authentication key-chain eigrp 61 HEM
R2(config-if)#
*Mar 1 00:32:57.723: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 61: Neighbor 192.168.1.1 (FastEthernet0/0) is up: new adjacency

 

Accept-lifetime and Send-lifetime

The accept-lifetime and send-lifetime are configuration parameters that are available while configuring a key of a key string. These two commands are pretty self-eplanitory but essentially they establish a time frame for the validity of a key. One of the primary uses for expiring keys is to change key combinations for security reasons.  By configuring multiple keys with different expiration time frames you can configure the key change in advance without impacting your current authentication methods.  The proper way to configure the commands are:

accept-lifetime 01:00:00 Nov 7 2011 13:00:00 Nov 7 2011
send-lifetime 01:00:00 Nov 7 2011 13:00:00 Nov 7 2011

The above commands would use make the key valid between 1AM and 1PM on November 7th only.  This process is obviously very dependent on synchronized clocks between routers.  If you are going to set accept-lifetime and send-lifetime values for your authentication keys it is highly recommended to make use of a central time server to ensure clock synchronization.  To understand completely what happens when multiple keys are valid at the same time we need to take a look at how EIGRP selects the keys to use when authenticating.

 

Key Selection

When authentication is configured EIGRP identifies potential neighbors and then goes directly into the authentication process. To select which key it sends to it’s neighbor, the router looks through it’s entire list of keys and sends the key-string of the lowest key number that is currently valid. Assuming that today is November 8th, 2011, key 2 and key 3 would be the only valid keys of the four keys in the chart below. Since key 2 is the lowest numbered key, this is the key that will be used to attempt authentication with the neighboring router.

Key Chain Graphic

Based on the same information above, if this router were to receive a key string as part of the authentication process, it would try to validate that key against the same key number in it’s own key chain. If the received key matches the same key number then the authentication would have been validated and the neighbor relationship would be established.