Sunday, February 24, 2008

How to match CoS on a 3750

During the last 2 days i have been trying to limit ingress PPPoE traffic passing through a 3750 switch. In order to be as strict as possible, i didn't want to drop any PPP/PPPoE control packets, like PPP keepalives/LCP auth or PADI/PADO/PADR/PADS, otherwise there was a high possibility that the PPPoE connections of some users would be dropped (because of missed PPP keepalives) or would not be established (because of missed PPPoE discovery packets).

The PPPoE connections start from the user's CPE and end at a 10000 router (bras). A rough network diagram is the following:

CPE --- DSLAM --- ME-3400 ----------|
CPE --- DSLAM --- ME-3400 ------- 3750 --- 7600 --- 10000 --- internet
CPE --- DSLAM --- ME-3400 ----------|

Double-tagging happens between the 3750 and the 10000 router (each ME-3400 represents a S-VLAN).

Since normal LAN cards (67xx) on the 7600 cannot do egress shaping/policing on L2 ports and PRE-2 on 10000 doesn't support hierarchical ethernet QoS, i though i should try to limit the downstream traffic (from internet to CPE) on the 3750.

Here comes the fun part...

3750 doesn't support (direct) classification based on CoS.

3750(config)#class-map TEST
3750(config-cmap)#match ?
access-group Access group
input-interface Select one or more input interfaces to match
ip IP specific values

That would be the best solution, because the 10000 marks by default all the PPP/PPPoE control packet with CoS 7, so it would be very easy to distinguish them from the normal/data packets (that have CoS 0).

Then i though of using the ethertype field to differentiate the 2 PPPoE classes. PPPoE uses 2 different ethertypes, one for its discovery stage and one for its session stage.

mac access-list extended PPPoE-DISCOVERY
permit any any 0x8863 0x0
mac access-list extended PPPoE-SESSION
permit any any 0x8864 0x0

class-map match-any PPPoE-DATA-CLASS
match access-group name PPPoE-SESSION
class-map match-any PPPoE-CONTROL-CLASS
match access-group name PPPoE-DISCOVERY

That would also be a good solution, although i would miss the PPP control packets. But there is a major problem here. The PPPoE ethertype is hidden inside the double-tagged frame so it cannot be checked.

PPPoE : Dest-MAC | Source-MAC | Ethertype | Payload

single-tagged PPPoE : Dest-MAC | Source-MAC | Ethertype | Tag | Ethertype | Payload
0x8100 0x8863

double-tagged PPPoE : Dest-MAC | Source-MAC | Ethertype | Tag | Ethertype | Tag | Ethertype | Payload
0x8100 0x8100 0x8863

0x8100 is the ethertype used by the 802.1q standard. Cisco uses what i would call a "hack" in order to implement 802.1q tunneling (or QinQ). It uses the same value (0x8100) for the inner and outer ethertype.

There is an option to change the outer ethertype from the 10000's side (making it -among other choices- 802.1ad compliant), but you have to change it for all the subinterfaces of a main interface and of course you cannot define it explicitly for PPPoE control packets.

10000(config-if)#dot1q tunneling ethertype ?
0x88A8 dot1q tunneling etype 0x88A8
0x9100 dot1q tunneling etype 0x9100
0x9200 dot1q tunneling etype 0x9200

So what solved my problem? The following very simple config:

mac access-list extended PPPoE-DISCOVERY
permit any any cos 7
mac access-list extended PPPoE-SESSION
permit any any cos 0

That way we can have indirect classification based on CoS.

Like we have DSCP & IP Prec match for ip access-lists, we can have a CoS match for mac access-lists. Just keep in mind that CoS (like most things) in switches is only checked by hardware. Packets forwarded or bridged by software are treated as having a CoS of 0 in ACL matches.

Here is an interesting question for all of you: How do you match IP traffic based on CoS?

Saturday, February 23, 2008

CCIE plaque - too cheap for a CCIE?

From the CCIE Program Features :

CCIE Plaque and Certificate
As an official CCIE, you will receive an engraved plaque and certificate, shipped to the address listed in your profile within 10-12 weeks. Please make sure your contact information is up-to-date.

Yesterday, one month after my lab exam, i received my CCIE plaque (if that can be considered a plaque). According to some people it's a crystal inscribed plaque. According to my own perception/feeling/impression (call it whatever you like) it seems like a plastic frame with an inkjet-like "printed paper" inside it and glass on top of it. I'm also still searching for the "engraved" part of it.

As it seems, Cisco is trying to cut expenses (although the CCIE lab recently increased its price). It's a shame that the plaque for one of the best certifications out there seems so cheap. Someone else would probably have created a better plaque by simply putting the CCIE certificate inside a nice wooden/silver frame. Btw, the DHL receipt shows MJR as the sender and $10 as customs value.

After contacting a friend of mine (a CCIE too), i was told that the advertising company, that had created the first CCIE plaques (the ones with a bronzed circular medallion in a wooden frame), is probably still selling these for all CCIEs who may want the old-style plaque (my friend bought his 2 years ago). The company is Brandvia and this is the page from their website regarding the CCIE plaque and jacket.

I have sent them an email requesting more info about the price, the payment/delivery method and of course asking them if they still sell the old CCIE plaques.

I hope i'll get a positive answer soon...

Cisco, one more for you!

Btw, one week ago, i had received my CCIE certification. Nothing extreme here:

Just an update here.

On 25/Feb/2008 i got an answer from BrandVia and they say that they are no longer authorized to make the old style CCIE plaques (like Scott said) and that i should talk with the Certification Program Manager, Abby Douglas. I sent an email to Abby too, but i never got an answer...

Wednesday, February 13, 2008

7600-ESM-20X1GE (7600-ES20) testing

The last week i've been experimenting with an ES20 card and i must say i'm impressed. A lot of nice features (that should be standard in the simple 6500/7600 LAN cards too) are included while some other are there to help you accomplish whatever ethernet scenario comes into your mind.

These are some features that differentiate it from the simple 67xx cards:

  • Subinterfaces
  • Subinterface Switchport / Subinterfaces MultiPoint Bridging (MPB) with Spanning Tree
  • Ethernet Multipoint Bridging with Local VLAN significance per port
  • Double-tag IP termination
  • Flexible QinQ mapping and termination
  • many MPLS features
  • many QoS features

The ES20 card supports (among other) the following L2 features:

Flexible QinQ Mapping and Service Awareness
The Flexible QinQ Mapping and Service Awareness on 7600-ESM-2X10GE and 7600-ESM-20X1GE feature allows service providers to offer triple-play services, residential internet access from a DSLAM, and business Layer 2 and Layer 3 VPN by providing for termination of double-tagged dot1q frames onto a Layer 3 subinterface at the access node.

MultiPoint Bridging over Ethernet (MPBE)
The MultiPoint Bridging over Ethernet (MPBE) on 7600-ESM-2X10GE and 7600-ESM-20X1GE feature provides Ethernet LAN switching with MAC learning, local VLAN significance, and full QoS support. MPBE also provides Layer 2 switchport-like features without the full switchport implementation.

Both features are supported only through Ethernet Virtual Connection Services (EVCS) service instances.

EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. It embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port on a given router.

This was my test setup regarding the ES20 :

IOS 12.2.33SRC

I also used 2 6500s (with 6724-SFP cards) and 2 routers (7200s), creating an ethernet-only network like the following:

Router-1 <===> 6500-1 <===> 7609 <===> 6500-2 <===> Router-2

My objectives were the following:

1) Start from single-tag ip termination (Router-1) and end to double-tag ip termination (Router-2)
2) Translate an outer vlan to a new one (2999 => 3999) while moving from 6500-1 to Router-2, leaving the inner vlans unchanged and vice versa
3) Terminate an outer-vlan/inner-vlan pair (2999/103) locally on the 7609
4) Apply some egress QoS (shaping, LLQ) on the above 2 vlans on the 7609

Router-1 <===> 6500-1
Router-1 interface is an ethernet interface with many ip subinterfaces

interface GigabitEthernet0/2.101
description ** 6500-1 - vlan 101 **
encapsulation dot1Q 101
ip address
interface GigabitEthernet0/2.102
description ** 6500-1 - vlan 102 **
encapsulation dot1Q 102
ip address
interface GigabitEthernet0/2.103
description ** 6500-1 - vlan 103 **
encapsulation dot1Q 103
ip address

6500-1 interface is a dot1q-tunnel (double-tagging all incoming frames)

interface GigabitEthernet3/9
description ** Router-1 **
switchport access vlan 2999
switchport mode dot1q-tunnel
mtu 9216
mls qos trust cos
mls qos cos-mutation COS-TUNNEL-MAP
spanning-tree bpdufilter enable

6500-1 <===> 7609
6500-1 interface is a trunk (allowing only the original outer vlan)

interface GigabitEthernet3/10
description ** 7609 Gi5/0/0 **
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2999
switchport mode trunk
switchport nonegotiate
mtu 9216
mls qos trust cos
mls qos cos-mutation COS-TUNNEL-MAP
spanning-tree bpdufilter enable

7609 interface includes a service instance for the outer vlan translation

interface GigabitEthernet5/0/0
mtu 9216
service instance 2999 ethernet
encapsulation dot1q 2999
rewrite ingress tag translate 1-to-1 dot1q 3999 symmetric

The number 2999, which is used for defining the service instance, can be whatever you like; it doesn't have to be the same as the vlan number. I just used the same number for easiness.
The "encapsulation dot1q 2999" command defines the ingress match criteria for this service instance.
The "rewrite ingress tag translate 1-to-1 dot1q 3999 symmetric" command defines a 1-to-1 translation of the ingress matched vlan (2999) to 3999 and the opposite ("symmetric").
Generally, the service instance is "equivalent" to a trunk port.

The 7609 does mainly two things:

Outer vlan translation (see above) and egress shaping

class-map match-all TRAFFIC1
match cos 6 7
policy-map TRAFFIC1
class TRAFFIC1
shape average 128000
class class-default
shape average 10000000
interface GigabitEthernet5/0/0
mls qos trust cos
service instance 2999 ethernet
service-policy output TRAFFIC1
connect EVC1 GigabitEthernet5/0/0 2999 GigabitEthernet5/0/1 3999

The "connect EVC1..." command creates the evc that connects the 2 service instances of the 2 interfaces of the 7609.

IP Q-in-Q termination for a specific outer-vlan/inner-vlan pair and egress LLQ/policing

class-map match-all TRAFFIC2
match cos 3 5
policy-map TRAFFIC2
class TRAFFIC2
police 5000000
class class-default
shape average 1000000
interface GigabitEthernet5/0/0.2999103
description ** local termination - vlan 2999/103 **
encapsulation dot1Q 2999 second-dot1q 103
ip address
service-policy output TRAFFIC2

Policing must be used together with priority for LLQ.

7609 <===> 6500-2
7609 interface includes a service instance for the outer vlan translation

interface GigabitEthernet5/0/1
description ** 6500-2 **
mls qos trust cos
service instance 3999 ethernet
encapsulation dot1q 3999
rewrite ingress tag translate 1-to-1 dot1q 2999 symmetric

6500-2 interface is a trunk (allowing only the translated outer vlan)

interface GigabitEthernet3/11
description ** 7609 Gi5/0/1 **
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3999
switchport mode trunk
switchport nonegotiate
mtu 9216
mls qos trust cos
mls qos cos-mutation COS-TUNNEL-MAP
spanning-tree bpdufilter enable

6500-2 <===> Router-2
6500-2 interface is a trunk (allowing only the translated outer vlan)

interface GigabitEthernet3/12
description ** Router-2 **
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3999
switchport mode trunk
switchport nonegotiate
mtu 9216
mls qos trust cos
mls qos cos-mutation COS-TUNNEL-MAP
spanning-tree bpdufilter enable

Router-2 interface is an ethernet interface with the remaining IP Q-in-Q subinterfaces

interface GigabitEthernet0/2.3999101
description ** 6500-2 - vlan 3999/101 **
encapsulation dot1Q 3999 second-dot1q 101
ip address
interface GigabitEthernet0/2.3999102
description ** 6500-2 - vlan 3999/102 **
encapsulation dot1Q 3999 second-dot1q 102
ip address

Btw, the CCO configuration page about ES20 must be one of the worst ever written. Many configuration examples are wrong (they probably haven't even tried them), while some other are missing explanations.

Sunday, February 10, 2008

show parser dump - full CLI syntax at your hands

To display the CLI syntax options for all command modes or for a specified command mode, you can use the show parser dump command in privileged EXEC mode.

This command was developed to allow the exploration of the CLI command syntax without requiring the user to actually enter a specific mode and use the ? command line help.


The following command will display all the commands that can by entered under "map-class" config mode and contain the "frame-relay" word:

router#show parser dump map-class | inc frame-relay

The following command will display all the commands that can be entered under the "route-map" config mode and contain the "match" word:

router#show parser dump route-map | inc match

The following will display all commands (config & exec) that contain the word "igmp" :

router#show parser dump all | inc igmp

So, if you don't remember a specific command, but you know a keyword that might be included in it, you can use the "show parser dump" commands to help you find all possible syntaxes.

The number that you seen in front of each command syntax is the privilege level required in order to execute that command.

You can also use the "extend" keyword at the end in order to display more detailed keyword and argument descriptions:

router#sh parser dump sla-monitor extend
Mode Name :sla-monitor
15 type udpEcho dest-ipaddr dest-port <1-65535> source-ipaddr
type : Type of entry
udpEcho : UDP Echo Operation
dest-ipaddr : Destination address
: IP address or hostname
dest-port : Destination Port
<1-65535> : Port Number
source-ipaddr : Source address
: IP address or hostname

15 type udpEcho dest-ipaddr dest-port <1-65535> source-port <1-65535>
type : Type of entry
udpEcho : UDP Echo Operation
dest-ipaddr : Destination address
: IP address or hostname
dest-port : Destination Port
<1-65535> : Port Number
source-port : Source Port
<1-65535> : Port Number

Use caution when entering this command with the all keyword. A large amount of output can be generated by this command, which may easily exceed buffer or system memory on smaller platforms. Also, some configuration modes have hundreds of valid commands. For large dumps, use of the redirection to a file using the | redirect URL syntax at the end of the command is highly recommended.

Wednesday, February 6, 2008

CCIE practice - My dynamips environment

This is the PC i used during my practice:

Abit IP35Pro
Core2Duo E6550 (@2.66)
320GB HD
Windows XP & Ubuntu

I started using WindowsXP, but soon i found out that i couldn't run concurrently >10 routers (i didn't insist too much on trying this). So i switched to Ubuntu, where after 1 week of trial & error, i managed to create my home environment and then run the sample lab that is provided free at IE's site. You can find more information on a previous post of mine about this setup.

Afterwards, i started creating mini labs on this setup, based on the topology of IE's sample lab, "stealing" ideas from the 2 CCIE Practical Studies books and adapting them to a specific physical topology. I started using 3640s as routers and switches (using 12.3(14)T7) but i had a lot of issues with spanning-tree & transparent vtp (it was like spanning tree was getting stuck). So i decided to use 3725s as switches, 3640s as routers and move both routers and switches to latest 12.4 IOS (12.4(17a) at that time).

Although everything was working fine in Ubuntu, i had to switch to Windows quite often in order to check some other material i had there, especially my email (although i could read my new emails from inside Ubuntu, i couldn't read the old ones). Also, i was experiencing strange crashes once in a while in Ubuntu, when restarting dynagen. So i decided to give it one more try and transfer the dynamips/dynagen setup to Windows again.

I had already found the ideal idlepc values for my routers' ios on Ubuntu, so i was going to use the same on Windows. The biggest difference between Ubuntu & Windows, was that i had to use the sparsemem option in dynagen on Windows (only for routers) in order to decrease memory usage, but even after that, Ubuntu was still using less memory. Also, cpu usage was a little bit higher in Windows, but as long as it stayed below 15%, is wasn't a problem. Having full configurations on all 13 routers/switches kept the cpu around 40% busy, which was fine by me (in Ubuntu it was under 20%). At the same time, memory usage was around 1.4GB on Windows and under 1 GB in Ubuntu.

I used 2 dynamips processes in order to split the memory usage per process (Windows is said to have a problem with this) and i assigned all routers in one process and all switches + bb routers in the other process (pretty much like IE's dynamips setup). Btw, you can find a lot of useful info about dynamips/dynagen in

This is the general routers/switches dynagen setup i used on Windows:

image = C:\images\c3640-ik9o3s-mz.124-17a.extracted.bin

ram = 128
disk0 = 0
disk1 = 0
idlepc = 0x605a5040
mmap = True
ghostios = True
sparsemem = true

image = C:\images\c3725-adventerprisek9-mz.124-17a.extracted.bin

ram = 128
disk0 = 8
disk1 = 0
idlepc = 0x62379ed0
mmap = True
ghostios = True

It took me a while until i was able to initialize the setup for every mini-lab i was having. I was spending around 2 hours in order to prepare my setup for each mini-lab. But, after creating a xls table with the differences between my physical topology and the mini-lab topologies, i managed to bring this time down to 20-30 minutes.

I also used the same topology for all the Mock Labs, which helped me a lot. There were some issues with L2 features not supported by dynamips, but i wasn't worried because i knew most of this stuff. Nevertheless, i had a scrap paper near me where i was taking notes and i also used it for writing down all the config commands i couldn't configure. That way i was able to grade myself in everything, even in things dynamips didn't support.

One thing that i didn't regret of, is that when i was redoing my Mock Labs using dynamips, i did every possible task, even the ones that seemed silly and were repeated quite a few times. There were times that i was thinking how boring is to configure something for nth time, but i knew i had to do it if i wanted to succeed.

Lastly, i had created a pdf file like the following (i created it in Excel, then converted it to PDF and printed it), where for every Mock Lab i was writing the task number, the task points, whether i though i had completed it and some notes about tricky things or things to be looked later.

After finishing each lab, i was comparing my solution to the proctor's one and i was grading myself. Mostly i was giving myself lower grades for all alternative solutions, until i was 100% sure that my solution was correct too. That way, after finishing all Mock Labs, i was able to see in what parts i had repeatedly made mistakes so that i could focus more on these.

My final advice :
Try to be organized! It'll make your preparation much easier.
Try to repeat things! It'll make you exam much easier.

In the meanwhile, i have already decided what exam i'm going to try next, but i won't reveal it until the poll ends. Of course my pre-preparation has already started...

Btw, i 'm also searching for a new job. Last weekend i rewrote my CV (it has been a long time since i had updated it) and i have already found 3 "candidate" companies which seem very interesting. But i won't do anything until the end of this month, because i'm waiting for an offer from my current job.

Saturday, February 2, 2008

Greek CCIEs

I'm trying to gather the names of all the Greek CCIEs and this is the list i have come up until now:

? Sotiris Spanos
? Paraskevas Lykourgiotis
? Nassos Papakostas
? Anastasios Lilakos

1858 Nicholas Stathakis
2310 Andreas Agrafiotis
4273 Pantelis Parvantonis
4446 Dimitri Kotantoulas
6046 Narkissos Sevastiadis
6507 Vicky Fyrigou
6866 Vassilis Constantopoulos
6969 Chara Kontaxi
6981 Nikolaos Apοstolou
7201 Yiannis Theologitis
7394 Elias Aggelidis
7522 Giannis Mouzakis
7676 Theodore Tzevelekis
8068 Epaminondas Karelis
8418 George Venianakis
8512 Giorgos Katsikogiannis
8729 Alkiviadis Zoupas
8787 Panayiotis Soultos
9559 Apostolos Asteriadis
9696 Dionisis Koutsis
9723 Thanos Sioutas
10166 Bill Kaloudis
10519 Andreas Deliandreadis
10721 Yiannis Margaritis
10752 Evangelos Vayias
10823 Chris Zotos
10903 Stathis Atmatzidis
11595 Dionyssis Theodosioy
11826 Sotiris Leventis
12239 Orestes Matos
12731 Constantinos Palamaras
13419 Mike Mihalas (?)
13998 Harris Prodromou
14922 Spyros Kranis
15010 George Papadimitriou
15600 Varthis Vassilantonakis
18448 Katerina Proestaki
19226 Constandinos Spathas
19858 Tassos (R&S)
24902 Konstantinos Chelidonis
25653 Vasileios Matiakis
28389 Dimitris Vassilopoulos
35300 Panagiotis Evangeliou (Voice)
36537 Spyridon Kakaroukas (R&S)
36673 George I. Papadopoulos (Voice)
36700 Panagiotis Tragas (R&S)

45+4 out of 50?

Last update : 07-Dec-2012

If anyone knows more info, please help me fill the above list.
For everyone interested, Brad Reese is trying to keep records of number of CCIEs over time.

General lists of CCIEs:

Update #1
Many thanks to Yiannis (#10721) for providing updated info.

Update #2
CCIE statistics have vanished from Cisco (check, so it's difficult to know the current number of Greek CCIEs.

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Greece License.