AWS Cloud Practitioner: Passed!

Wednesday (5/19) I passed the AWS Cloud Practitioner certification. This was the first non-Cisco cert that I have taken (outside if ITIL which was work sponsored). It has been about 7 year since I last worked with AWS. When I began studying it was surprised how much I had forgotten about. I also found how narrow my view was back then only focusing on the networking aspects of the early days of the cloud.

The challenging part of this exam for me was the database sections and the billing. The last time I dealt with databases in any form was in college and I don’t remember much about it. Learning the difference between relational and non-relational databases helped me figure out the different offerings in AWS. Without knowing why the differences mattered I couldn’t get through my head what each service did and how they were different. The billing section just felt repetitive and had a lot of tools that all sounded the same.

Overall I thought this was a fair exam and stayed within the blueprint (as vague as that blueprint was). I found Udemy had the best video trainings on this. PluralSight had a few, but nothing as in-depth as Stephane Maarek. Stephane’s Udemy training when over each service and most had a hands on lab. They were short videos that were easy to learn from with great practice tests after each section.

Now that I have gotten my feet wet with the AWS certifications I think I’ll work on the Solution Architect Associate next. It looks closely related to what I just learned and goes a bit further into each of the technologies. It also feels to most relevant towards my job and being able to help my customers or at least understand what they are doing in the cloud and where my integration points are.

CCIE RS – Written – L2 – Implement and Troubleshoot VLANs

CCIE RS – Written – L2 – Implement and Troubleshoot VLANs

VLAN – Virtual LAN

  • Administratively defined subset of switch ports that are in the same broadcast domain
  • Broadcast domain – devices that can receive broadcast sent by another device
  • Best Practice – 1 to 1 relationship between IP subnet and VLAN


  • Vlan [id]
  • Under interface > switchport access vlan [id]
  • Modify VLAN operational state (L2 only)
    • Can be suspended globaly for entire VTP or to local switch
    • Vlan [id] > state suspend (global) | shutdown (local)

Access Ports

Belongs and carries traffic for only 1 VLAN 


interface > switchport access vlan [#]

VLAN Database

  • Vlan 0 – Reserved, not available for use
  • Vlan 1 – Default vlan for all access ports
    • Cannot be deleted or pruned
  • Vlan 4095 – Reserved, not available for use

Switch#sh vlan

VLAN Name                             Status    Ports
—- ——————————– ——— ——————————-
1    default                          active    Gi0/0, Gi0/1, Gi0/2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
1    enet  100001     1500  –      –      –        –    –        0      0   
1002 fddi  101002     1500  –      –      –        –    –        0      0   
1003 tr    101003     1500  –      –      –        –    –        0      0   
1004 fdnet 101004     1500  –      –      –        ieee –        0      0   
1005 trnet 101005     1500  –      –      –        ibm  –        0      0   

Primary Secondary Type              Ports
——- ——— —————– ——————————————


Normal VLAN

1 – 1001

  • Can be advertised with VTPv1 and 2
  • Configured in vlan database, global config
  • Details stored in vlan.dat
  • Can be pruned

1002 – 1005 Special uses

  • Cannot be pruned
  • 1002 fddi-default
  • 1003 token-ring-default
  • 1004 fddinet-default
  • 1005 trnet-default

Extended VLAN

1006 – 4094

VTPv1 and 2 must be in transparent mode

Voice VLAN

Enables access ports to carry traffic from an IP Phone

  • Portfast is automatically enabled when voice vlan is configured
    • Not disabled if voice vlan is removed

Configure how the Cisco IP Phone carries voice traffic:

  • vlan-id —Configure the phone to forward all voice traffic through the specified VLAN. By default, the Cisco IP Phone forwards the voice traffic with an IEEE 802.1Q priority of 5. Valid VLAN IDs are 1 to 4094.
  • dot1p —Configure the phone to use IEEE802.1p priority tagging for voice traffic and to use the default native VLAN (VLAN 0) to carry all traffic. By default, the Cisco IP Phone forwards the voice traffic with an IEEE 802.1p priority of 5.
  • none —Allow the phone to use its own configuration to send untagged voice traffic.
  • untagged —Configure the phone to send untagged voice traffic.

CCIE RS – Written – L2 – Implement and Troubleshoot Trunking

Implement and Troubleshoot Trunking


  • Allows devices to send traffic for multiple vlans across a single link
  • Trunking protocols must match on both ends


  • Cisco Proprietary
  • Supports normal and extended vlans
  • Encapsulates original frame
    • 26 byte header + trailer for FCS
  • No concept of native vlan


  • Open Standard (IEEE)
  • Supports normal and extended vlans
  • Inserts tag into original frame
    • 4 byte header
    • Frame tagging
  • Concept of native vlan
    • Traffic in native vlan is untagged
    • All received untagged frames are sent over native vlan
    • Must match on both ends of trunk
    • Detection for mismatch
      • Cisco Switches – Proprietary extension in PVST+ and Rapid PVST+
      • CDP Neighbor can detect and report (syslog)
    • Default native vlan is 1
      • Best practice is to change to prevent vlan hopping attacks

DTP – Dynamic Trunking Protocol

  • Dynamically learn if device on other end wants to perform trunking and negotiate what protocol to use
  • Modes
    • Dynamic Auto – negotiate automatically
      • Prefers to be access port
    • Dynamic Desirable
      • Prefers to be a trunk port
      • Highest priority
      • Will choose ISL is both sides support
    • Different switch models have different default behaviors
    • DTP and VTP are independent
      • DTP carries the VTP domain name
  • Reduce number of vlans on trunk
    • Vlans must be configured on switch before being considered active
    • Administratively configure or use VTP pruning
      • Switchport trunk allowed [add | remove ]
  • Config
    • Switchport mode [trunk | dynanmic desirable / auto | access
    • Switchport nonegotiate
      • Port no longer sends DTP messages
    • Switchport trunk encapsulation [isl | dot1q]

Q in Q Tunneling

  • VLANs traditionally do not extend past WAN boundary
  • Standard 802.1ad – Provider Bridges
  • Allow SP to preserve 802.1q vlan tag across WAN service
  • CDP and VTP can be configured to pass transparently over Q-in-Q
  • New tagging concept
    • C-Tag – Original customer tagged frame
    • S-Tag – Additional tag added to C-Tag frame at ingress of SP
      • Tag is removed at egress of SP, preserving original C-Tag
      • Different customers get different S-Tags
  • Configuration
    • Change MTU to 1504 for extra header size

Manual VLAN Pruning

Manually specify which vlans are allowed across a trunk link

VTP – VLAN Trunking Protocol

  • Advertises vlan config information to neighboring switches
  • Allows vlan config to be done from 1 switch in the domain (dynamic)
  • Advertises VLAN ID, name and type
  • Does not forward which ports are in the vlan
  • Sends updates out all active trunk links by default
    • Without domain name switches do not send any VTP updates
  • VTP starts working when there is an active trunk link and domain name
  • Configuration
    • Vtp domain [name]
    • Show vtp status
    • Options
      • Domain – sets domain name
        • Switch can only belogn to one domain
      • Password – sets password to prevent unauthorized switches from joining domain
      • Mode [server | client | transparent]
      • Version [1 | 2 | 3]
        • Can configure on server switch and will sync with other switches
        • V3 must be manually configured and have domain name configured
      • Pruning
        • Prevent flooding per-VLAN to switches that do not have the VLAN configured
        • Only applied to normal VLAN range
      • Interface
        • Sets interface whos IP is used to ID the switch
        • Default is to use IP of lowest numbered SVI


Version 1 is default

  • Supports only normal vlan range

Message Types (v1 and v2)

  • Summary advertise
    • Originated by VTP server and client every 5 minutes and after each modification to vlan database
    • Carries domain name, revision number, ID of updater, timestamp, MD5, password & number of subset advertise
    • Does not carry vlan database contents
  • Subset Advertise
    • Originated by server and client after modification of vlan database
    • Carries full vlan database contents
  • Advertise Request
    • Request neighbors complete vlan database or part of it
    • Request sent when switch enters client mode or client switch is restarted
  • Join
    • Every 6 seconds if VTP pruning is active

Update Process (v1 and v2)

  • Begins when a modification is made on a vlan
  • VTP server will increment revision number by 1 and advertise entire vlan database with new revision number
  • Revision number allow switches to know when vlan database changes have occurred
    • Switches replace their vlan database when a larger revision shows up

VTP Modes

  • Server –
    • Default with no domain name
    • Updates to not occur until a domain name is configured
  • Client
    • Will assume first received domain name
    • Default domain is NULL
  • Transparent / Off
    • Prevents switches from listening to other switches VTP updates
  • Protect VTP domain – VTP password
    • Summary adv – carries MD5 hash computed over the vlan database contents and VTP password if configured


Enhanced version of v1

  • Supports token ring concentrator relay function and bridge relay function
    • Not used in ethernet based networks
  • Supports unknown TLV (Type Length Value)
    • V1 would drop unrecognized TLV’s which would stop propagation to other switches
  • Optimized vlan database consistency checking
    • Implementation optimization
    • Skips consistency check if change was received by a VTP message


Introduced to IOS release 12.2(52)SE

  • New server roles – Addresses problem of inadvertent rewrites to the vlan database
    • Primary – Only 1 at a time
      • Can modify VTP domain contents
      • Only switch who’s vlan database is propagated through domain
      • Database will be shared if switch agrees on domain name and ID of primary server (MAC address)
    • Secondary –
      • Cannot make changes,
      • but can be promoted
      • All other server switches in domain are secondary
    • Primary role is a runtime state. Does not get saved into configuration
    • Server role helps prevent unwanted changes to VTP domain
  • Password storage and usage improved
    • Encrypted and cannot be displayed in plaintext
    • Promotion of secondary required entering password in plaintext
    • String is carried encrypted to different switches
  • Capable of distributing full range of vlans and private vlans
    • No longer need to be in transparent mode when using extended vlan range and private vlans
    • Pruning only applied to normal vlan range
  • Supports VTP off
    • Switch does not participate in VTP and drops all VTP messages
  • Distributes content of MST region config
  • Client switches cannot make changes to domain or be promoted
  • Both Secondary and Client store copy of primaries vlan database and share with neighboring server and client if they agree on the primaries ID
  • Secondary or client servers with higher revision number can overwrite vlan database, but must match on domain name, primary ID and password
  • Conflicts
    • Server or client in domain having different primary server IDs
    • Conflciting switches do not sync the vlan database even if all other parameters match
  • Promotion to primary sever done in exec mode
    • Vtp primary
  • Cannot reset revision number to 0 by switching mode to transparent
    • Only will be reset by modifying the domain name or configuring password
  • Switches that cannot run v3, the port will revert to v2
    • V3 to v1 is not supported

VTP Pruning

Reduces unnecessary flooded traffic such as broadcasts, multicast and unicast packet

  • Disabled by default
  • Enabling on server enables for entire domain
  • Vlans 2 – 1000 are eligible for pruning
  • Cmd: vtp pruning

CCIE RS – Written – Network Principles – Use IOS Troubleshooting Tools

Use IOS Troubleshooting Tools

Multiple troubleshooting tools are built into IOS.

  • show – monitor normal behavior and isolate problems
    • version – system hardware, software version, uptime, boot image
    • running-config – current configuration
    • startup-config – config stored in NVRAM
    • interface – interface statistics, bandwidth, errors
  • debug – assist in isolating a protocol and configuration problem
  • ping – determine connectivity
  • trace – show the path packets are taking

debug, conditional debug

Debugs must be turned on using the debug command. To show running debugs – show debug

Debugs are sent to console by default (no logging console – to turn off). User terminal monitor if you are remotely connected into the device. 

Turn off debug – R1#undebug all

Conditional debug – add parameters around what debugs you want displayed to the console.

Stacking multiple debug conditions will generate output if at least 1 condition is met.

R1#debug condition ?
called called number
cplCisco Provisioning Language debugging
glbp interface group
ip IP address
mac-addressMAC address
match-list apply the match-list
profileMedia Services Profile
standbyinterface group
username username
vcid VC ID
vrfVirtual Routing and Forwarding
xconnect Xconnect conditional debugging on segment pair

R1#debug condition ip 
Condition 1 set
R1#debug condition interface gi0/0
Condition 2 set
R1#sho debug

Condition 1: ip (0 flags triggered)
Condition 2: interface Gi0/0 (1 flags triggered)
Flags: Gi0/0


Above condition will generate debugs messages for anything containing the ip or interface gi0/0

ping, traceroute with extended options

Ping – common method for troubleshooting accessibility to a device

  • Uses ICMP echo
    • Tells if host is active / inactive
    • RTD to host
    • Packet Loss

Issues if cannot ping

  • Routing issue
  • Interface down
  • ACL
  • ARP issue
  • Delay
  • Source Address
  • High Input Queue drops

Traceroute – Discover the routers a packet takes to a destination

  • Sequence of UDP datagrams on an invalid port
  • 3 datagrams sent with TTL of 1
  • TTL of 1 causes datagram to timeout and first hop responds with ICMP “Time Exceeded Message (TEM)
  • Process continues increasing TTL by 1 each step until packets reach the destination
  • Destination responds with ICMP Port Unreachable message, indicates traceroute is finished

Traceroute Text Characters

Traceroute Text Characters

Embedded packet capture

  • Onboard packet capture facility
  • Consumes CPU and memory resources during its operation
  • Export captures via TFTP, FTP and local disk
  • Define a buffer size and type (circular or linear) and max number of bytes of each packet capture
  • Capture can be throttled using admin controls
    • Filter packets with ACL
    • Specify max packet capture rate or specify sampling interval
  • Benefits
    • Ability to capture IPv4 and IPv6 in CEF path
    • Flexible method to specify capture buffer parameters
    • Filter captured packets
    • Method to decode data packets
    • Facilty to export capture (PCAP)
    • Extensible infrastructure for enabling capture points

Performance monitor

Enables to be able to monitor the flow of traffic in the network. Similar to netflow.

Pre-req for configuration

  • IPv4
    • routing and CEF must be configured / enabled
  • IPv6
    • ipv6 cef must be enabled

Can monitor a long list of traffic –

Configuration Components

  1. Interface – attach performance monitor to interface – service-policy type performance-monitor
  2. Policy – Associate with flow monitor – policy-map type performance-monitor
  3. Class – filtering criteria – class-map
  4. Flow Monitor – Associated with flow record and optional flow monitor – flow monitor performance-monitor
  5. Flow Record – Specify match and collect – flow record type performance-monitor
  6. Flow Exporter – Specify the destination for exporting traffic

show performance monitor status


Router#show policy-map type performance-monitor 
Policy Map type performance-monitor PM_FLOW_MONITOR
flow monitor FLOW_MONITOR
react status: inactive
Router#sh run | s flow
flow record type performance-monitor FLOW_RECORD
 match ipv4 destination address
 match transport destination-port
 collect application media event
 collect counter bytes long
 collect ipv4 dscp
 collect monitor event
 collect routing forwarding-status
 collect timestamp interval
 collect transport packets expected counter
 collect flow direction
flow exporter FLOW_EXPORT
 description *** Export Flows ***
 source GigabitEthernet0/0
 dscp 46
 transport udp 650
flow monitor type performance-monitor FLOW_MONITOR
 description *** FLOW MONITOR ***
 exporter FLOW_EXPORT
flow monitor FLOW_MONITOR
Router#sh run | s class
class-map match-all CM_FLOW_MONITOR
 match any 
flow monitor FLOW_MONITOR
Router#sh run | s policy
policy-map type performance-monitor PM_FLOW_MONITOR
flow monitor FLOW_MONITOR

Apply troubleshooting methodologies

Diagnose the root cause of networking issue (analyze symptoms, identify and describe root cause)

Design and implement valid solutions according to constraints

Verify and monitor resolution

Interpret packet capture

Using Wireshark trace analyzer

Personal writing from experience – you need to understand traffic flows. Knowing protocol basics and using different filters in wireshark to remove the noise in the capture. Would love feedback for this section on your experience with wireshark.

Using IOS embedded packet capture

Router#monitor capture buffer CAPTURE size 256 max-size 100 circular 
Router#monitor capture point ip cef CAPTURE_POINT gi0/0 ?
bothcapture ingress and egress
incapture on ingress
out capture on egress
removeremove capture point
Router#monitor capture point ip cef CAPTURE_POINT gi0/0 both
Router#monitor capture point associate CAPTURE_POINT CAPTURE
*Aug 18 04:12:11.060: %BUFCAP-6-CREATE: Capture Point CAPTURE_POINT created.
Router#monitor capture point associate CAPTURE_POINT CAPTURE
Router#monitor capture point start CAPTURE_POINT
*Aug 18 04:12:29.789: %BUFCAP-6-ENABLE: Capture Point CAPTURE_POINT enabled.
Router#show monitor capture buffer CAPTURE dump

Router#monitor capture point stop all 
*Aug 18 04:15:23.960: %BUFCAP-6-DISABLE: Capture Point CAPTURE_POINT disabled.

Packet capture can be exported to TFTP server to look at the capture in wireshark

Router#monitor capture buffer CAPTURE export ?
  flash0:  Location to dump buffer
  flash1:  Location to dump buffer
  flash2:  Location to dump buffer
  flash3:  Location to dump buffer
  flash:   Location to dump buffer
  ftp:     Location to dump buffer
  http:    Location to dump buffer
  https:   Location to dump buffer
  pram:    Location to dump buffer
  rcp:     Location to dump buffer
  scp:     Location to dump buffer
  snmp:    Location to dump buffer
  tftp:    Location to dump buffer

Router#monitor capture buffer CAPTURE export