What is the OSPF Stub Area?

We all know OSPF as routing protocol is one of the most widely used IGP protocol, OSPF happens to be the most scalable IGP protocol. OSPF also happens to be one of the complex protocols as it deals with various concepts and terminologies. One such a topic where people get confused is OSPF Area types.

I will try to simplify them and present them in an easy language, I am not going to reinvent the wheel, as one can find plenty of resources for OSPF.

What is a OSPF Stub Area ?

OSPF Stub Area basically filters out information of an OSPF database purely based on the LSA types, Basically, an ABR  in a Stub Area prevents LSA type 5 to be flooded into a Stub Area, it removes Type 5 LSA  and replaces them with a default route which is a Type 3 LSA.  To simplify  ABR creates a default route using LSA 3, listing a  0.0.0.0 with a subnet mask  0.0.0.0 and flood the same into the stub area. By using Stub Area feature one can reduce the CPU utilization of a Router.

OSPF Stub Area

From the above scenario, we can see Type 3 LSA is exchanged between Area 0 and 5, however, when a Type 5 LSA reaches R2 which is an ABR, it will strip External LSAs  (Type 5 LSAs) and replace them with a default route towards the Router R3.

OSPF Stub Area is configured in Cisco Routers using an IOS command

router ospf 1

area 5 stub

In the upcoming post, let’s see how to configure OSPF stub area in Cisco Routers, we will build a sample topology using Cisco VIRL.

Does CCIE track selection need counselling?

When it comes to choosing a CCIE track most of the CCIE aspirers are confused, every day I encounter at least one CCIE aspirers approaching me for advice. Some times I petty them but there are in need of guidance, so I morally try to support them and guide them to best of my ability.

CCIE

Why are most of them are confused in choosing CCIE tracks?

Its been observed that most of them are confused at the step 1 of CCIE, they struggle to choose a CCIE track for them, some of them try to meet instructor after instructor of different tracks to select the CCIE track, this makes them more confused. Even I have seem some people start with a CCIE track A for few months and then again they change their track to track B, this is not a good sign for some one who already started the journey of CCIE.

I believe most of them want to choose a CCIE track for different reasons like

  • Which CCIE track is in more demand?
  • Which CCIE track is easy to pass?
  • Which CCIE track offers me more remuneration?
  • Which CCIE track is easy to simulate?
  • Which CCIE track costs less?

So and so forth, well these are not the valid reasons to select a CCIE track. I strongly believe there should be strong desire and passion towards a particular track, which comes out when you ask the series of questions which mentioned in the article “ The Journey of CCIE – Series 1”. Yet some people may need some sort of Pre CCIE counselling in selecting a CCIE track and planning their journey.

Well, as per my knowledge no one is offering such service if someone wants to seek any guidance they can reach me out I can assist them in choosing their passions. Yes, CCIE is a passion and can be only achieved when someone gives more than 100%. Please do feel free to reach me out, I will more than glad to help you.

Cisco ASA VPN troubleshooting  – Decaps but No encaps

Recently we observed a strange issue while building a site to site VPN tunnel between a Cisco ASA [9.1( 5) ] and Palo Alto Next Generation firewall.(PAN-OS 7.0.9) It was observed always phase 1 part of tunnel established successfully with peer however phase 2 failed to come up.

Always we were seeing issues with encapsulation, the packets sent were never encapsulated, however the packets received from remote peers were de capsulated, this means  the ASA was not encrypting the data. The below logs demonstrates the error,

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 74, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 74

We did a through troubleshooting and we ensured the following ay both ends of the firewalls

  • Ensure both the firewalls have an appropriate route for the interesting traffic / proxy id
  • Ensured the ACL / Policies are matched
  • Ensured NAT configuration is done properly as were using source based NATTing at both the end.
  • Ensured proper debugging is done at both ends,
  • Involved vendors to see what the issue was

Upon through troubleshooting it was discovered the ASA was hitting a bug CSCuo58411

This bug basically creates duplicate entries in tunnel manger and one could see from the below logs

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:49 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.0.100.2, sport=45638, daddr=192.168.120.100, dport=45638

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:50 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

The work around worked for us to fix this issue, was to upgrade the ASA from 9.1(5) to 9.5(3)6 . The other recommended work around to fix this issue is

Issue “debug menu ike-common 10” to remove the stale IKEv2 entries (this will delete all current IKEv2 connections)

How to ace F5 – 201 TMOS administration certification exam?

In order to be  a F5 Certified BIG-IP Administrator , one must pass two exams

  • Exam 101 – Application Delivery Fundamentals
  • Exam 201 – TMOS Administration

Upon passing Exam 101 Application Delivery Fundaments he/she becomes eligible to take Exam 201 TMOS Administrator provided he /she appears for Exam 201 in two years time. Unless one passes both of these exams one cannot expect any certificate from F5.  Upon passing 201 Exam F5 issues a F5 Certified BIG-IP Administrator which can be downloaded from F5certification portal

f5-certification-graphic

Courtesy: F5

Recently I was successful in passing F5 BIG-IP 201 exam and now I am a F5 Certified BIG-IP Administrator.  When it comes to F5 exams they are quite challenging but at the same time they are straight forward.  By having good hands on experience with BIG-IP Appliance and reading the recommended resources provided by F5 one could ace this exam.

When it comes to preparation of any certification exams the main thing one always look for is the right resource, for F5 BIG-IP 201 exam there are few but quite awesome recourses available. By using them one can certainly ace the exam. There is no single dedicated book one can find for this exam however the resources available in form of study guides, videos courses and practice labs are more than enough for F5 BIG-IP 201 exam preparations.

The first thing one should have a right determination and clear vision to ace this exam as this needs good amount of dedication and time, the main resources one depend for the preparation for this exam are available from F5. F5 offers a study guide 201-TMOS Administration V2 for free which any one can download from their portal.

This study guide is very brief in nature and it covers all the topics of blue print of the F5 BIG-IP 201 exam,  the great thing about this guide it comes with lots of hyperlinks for the various topics covered. One should give a good attention to those hyperlinks and read and practice them.

The second great resource available is from F5 University  the recommended training are

  • Getting Started with F5 products
  • LTM Essentials

These videos are quite helpful in understanding the concepts and F5 terminologies, the video courses are presented in very simple manner and  quite rich in information . The content of these videos and the quiz presented after each module/topic are quite informative and relevant from exam perspective.

Thirdly the F5 Training labs which are free comes with great work books and one can get good hands on experience on F5 BIG-IP Appliances, the labs presented are so good that one can really master how to administrator BIG-IP Appliance LTM module.

Apart from using the F5 training labs , I built a virtual lab on my Mac book using F5 Big IP Virtual Appliance with 90 days trail license.

The great thing about F5 is the free resources provided by them are quite good and more than enough to nail the F5 exams , however one need to give details to minute little details like the TMSH commands usages, events generated by BIG-IP Appliance, the led status etc.

How to set up an F5 BIG-IP LTM Virtual lab on VMware Fusion?

After passing the F5 201 – TMOS Administration Exam, some of the professional friends were keen to know how to build an F5 practice lab on their personnel machines.

In this post we will walk through how to build a virtual lab for F5 201 – TMOS Administration Exam on macOS Sierra step-by-step.

We will be using the following topology to built an F5 Virtual lab so that one can practice for their 201 – TMOS Administration Exam. Before starting please ensure VMware Fusion is installed on macOS Sierra

figure-1-f5-ltm-topology

Fig 1 – F5 BIG-IP LTM Toplogy

We will be using four VMWare networks for this lab, by default “vmnet” is created so we need to create three more VMware networks.

  • vmnet2
  • vmnet3
  • vmnet4

The IP Address mapping and functions of VMware networks will be as follow:

figure-2-ip-address-schema

Step 1: Launch VMware fusion and then select preferences

figure-3-vmware-fusion

Step 2: Click the Icon Network and click lock icon to make changes

figure-4-network


Step 3 : Select + icon to add a custom network named vmnet 2 and assign the Subnet IP 172.16.1.0 and Subnet Mask 255.255.255.0. This will be the internal network. Also ensure to select the following checkbox

  • Connect the host Mac to this network
  • Provide addresses on this network via DHCP
figure-5-add-custom-network
figure-6-vmnet2


Step 4: Select + icon to add a custom network named vmnet 3 and assign the Subnet IP 172.16.2.0 and Subnet Mask 255.255.255.0. This will be the HA network. Also ensure to select the following checkbox

  • Connect the host Mac to this network
  • Provide addresses on this network via DHCP
figure-7-vmnet3


Step 4: Select + icon to add a custom network named vmnet 4 and assign the Subnet IP 10.1.0.0 and Subnet Mask 255.255.255.0. This will be the management network. Also ensure to select the following checkbox

  • Connect the host Mac to this network
  • Provide addresses on this network via DHCP
figure-8-vmnet4

Step 5:  Log into F5 Website and request a free trail version of BIP-IP virtual edition

figure-9-free-trail-of-big-ip-ve

Step 6: Once an email is received from F5 with BIG-IP registration key download the BIG-IP VE System VMware Image, since the F5 201 – TMOS Administration Exam is based on TMOS version of 11.4 we will be downloading a BIG -IP V 11.4 – Virtual Edition for our labs. Download an OVA file for  VMware ESX/i Server v4.1-5.1 as its compatible with VMware fusion.

figure-10-big-ip-ve-image


Step 7-a: Import the BIG-IP VE System VMware Image VMware Fusion >File > Import

figure-11-import-big-ip


Step 7 – b: Click Choose File

figure-12-choose-file

Step 7 – c: Navigate to the folder where the BIG-IP VE System VMware Image was downloaded and select BIGIP-11.4.0.2384.0-scsi.ova image file and then click open

Click Continue to import the BIG-IP VE System VMware Image

figure-13-big-ip


Step 7 – d: Name the new virtual machine with the desired name and then click save

figure-14-save-big-ip

Step 7 – e: Accept the license agreements

figure-15-accept-license

Step 8: Once the import is completed, click finish and then click Customize Settings to configure the Network settings, if needed one can customize memory, CPU and Hard disk settings

figure-16-finish

Step 9-a: Customize Network Adapter setting to match the topology you are using.

In our case we will match to our topology

figure-17-network-adaptors

Step 9-b: Map Network Adapter to the vmnet4 network as this will be assigned to the management interface of BIG-IP Virtual Appliance

figure-18-network-adaptor

Step 9-c: Map Network Adapter 2 to the Bridge Networking Interface (in our case Network Adapter 2 will be bridged to the Wi-Fi adapter which is connected to the external network 192.168.1.0/24)

figure-19-network-adaptor2

Step 9-d: Map Network Adapter 3 to the vmnet2 network as this will be assigned to the internal interface of BIG-IP Virtual Appliance

figure-19-network-adaptor3

Step 9-e: Map Network Adapter 4 to the vmnet3 network as this will be assigned to the HA l interface of BIG-IP Virtual Appliance

figure-19-network-adaptor4

By following above steps one could a build a F5 BIG-IP LTM lab on their laptop using VMware Fusion. In upcoming post we will see how to do an initial configuration on F5 BIG-IP Virtual Edition to run F5 201 – TMOS Administration Exam labs on their laptops.

A review for “CCDE The Practical Guide.”  

When it comes CCDE certification preparation, unlike CCIE exams it’s hard to get instant gratification as CCDE certification happens to be theoretical and one certainly will not be engaged in configuring the real gears.  

 Often those who come from hands-on experience find it hard to measure their progress, and usually, they end up giving up their CCDE aspirations.   

 At one point in my life, I had an aspiration to be a CCDE did start my journey. However, my dopamine levels never raised with the CCDE training stuff available at that particular time. I gave up.   

 After getting know Mohamed Radwan and the frequent discussions, I had with him about the technology made the paradigm shift in my transformation from being an implementation and operations Engineer to Security Architect.  

 Lately, after several technical encounters, I had with Mohamed and especially after attending his last CCDE boot camp as a guest participant to review the security domain, gave me the insights on what made me give up my CCDE aspirations. He was quite competent to bring in the awareness and the mindset one needs to persist in being a CCDE.  

 When Mohamed released his much-awaited title “CCDE The Practical Guide” I realized if this title exists a few years back, my motivation would not have faded away.  I feel the title is the continuation of his CCDE boot camp as its quite analytical and practical and does brushes up one’s mindset from the CCDE exam perspective.   

Not only the title comes with four different scenarios covering critical sectors like finance, service providers, training firms and Telco’s but also it addresses the full range of technologies which are vital to CCDE exam. Mohammad is quite articulative in covering the scenarios in an exciting format as one could feel as if they are real and does force the reader to contemplate and act.   

The juice of this title is the questions and the options provided for each scenario, once one complete responding all items for the four scenarios comes with this title,  they can measure their understanding and what hat they wore while answering those questions. The tips Mohamed has provided for each question gives an idea of what mindset one should have while answering CCDE exam questions.  

To conclude this title will undoubtedly help CCDE aspirers to have a great understanding of the CCDE exam and how they should approach each question and what mindset they should have.