Diffie-Hellman usage in IPSec

I’m intrigued with Diffie-Hellman usage in IPSec. Most of the sources you can find in the internet will explain you how Diffie-Hellman work. You might want to visit this YouTube video about Diffie-Hellman Key Exchange and probably another YouTube video if you still not getting it.

Skipped the history side of this, in short, Diffie-Hellman is a method so that you can exchange your secret key without the need to pass that key over the network. It can be done with this 5 simple steps.

Continue reading

CCIE RS Lab Exam failed, for the second time.

It’s been a good experience so far, knowing that I failed my CCIE R&S lab for the second time. Well, certainly not the best outcome but certainly was a good experience.

Last year, 31 May 2012, I failed my first lab exam. That time was pretty rough. I was too emotional and nearly walking out of the building for not knowing enough of the technologies. I came out of the building felling stress out. It could probably be that I went to the exam just couple of days after I finished with Narbik’s Bootcamp. Exhausted and agitated.
Continue reading

Cisco 3560 MLS QOS – Part 3 – Final

This is the third part of Cisco 3560 MLS QOS. Previously I’ve discussed about Classification and Marking and Ingress Queuing.

Egress Queuing

Now, it has come to the part where packets are ready to be sent out. The idea is quite similar with Ingress Queuing but Egress has 4 Queues instead of only 2 for Ingress. Unlike Ingress Queues, Egress Queues has two sets of Queue configuration templates. It is called Queue-set 1 and Queue-set 2. This can be handy if you require to have two different settings for access ports and trunk ports. You will be able to configure Queue-set 1 with particular setup and have another different setup for Queue-set 2.
Continue reading

Cisco 3560 MLS QOS – Part 1

MLS QOS has been one of the greatest fear for my CCIE RS exam. I’ve read it several times, labbed it more than 3 times, but still I just cannot understand it. Then I decided to write my own notes to teach myself and hopefully any of you mere mortals like me.

I’ll start with this Classification and Marking and let see how deep the rabbit hole goes for the next few parts.

Continue reading


There are several things to be satisfied before OSPF can establish its full adjacency. These are Area-ID, Stub-Flags, Interface-Type, Timers, Authentication, and MTU. These attributes must match to the other peering.

Let’s say that you have a scenario to create Q-in-Q which requires you to alter the default MTU to 1504 using system mtu 1504. The verification also shows that your system MTU is indeed 1504.

SWITCH-3560#sh system mtu

System MTU size is 1504 bytes
System Jumbo MTU size is 1504 bytes
Routing MTU size is 1500 bytes

Continue reading

Proxy ARP Notes

  • Proxy ARP (Cisco Page)
  • To check whether an interface is using Proxy ARP or not.
    Rack10R6#sh ip int f0/0.146 | i ARP
      Proxy ARP is enabled
      Local Proxy ARP is disabled
  • To enable/disable Proxy ARP on the interface
    Rack10R6(config)#int f0/0.146
    Rack10R6(config-subif)#no ip proxy-arp 
    Rack10R6(config-subif)#do sh ip int f0/0.146 | i ARP
      Proxy ARP is disabled
      Local Proxy ARP is disabled
  • To disable Proxy ARP from the global configuration (Proxy ARP is enabled by default)
    Rack10R6(config)#ip arp proxy disable 
    Rack10R6(config)#do sh ip int f0/0.146 | i ARP
      Proxy ARP is disabled (Globally)
      Local Proxy ARP is disabled

Access Port

When you configure switchport access vlan 20 on an interface:

  • This will make the interface become a layer 2 switchport or non-routeable port.
  • There is no 802.1q/ISL tagging involvement in this port as the traffic will be received and sent as untagged.
  • Because there is no tagging involved, the port has no clue what VLAN this frame should be. Therefore, any packets passing this port is assumed to belong to the VLAN assigned to this port. In this case vlan 20.
  • If you add the configuration with switchport mode access this will make the interface turned to nontrunking permanently and also negotiates or telling the other end of the link to be a nontrunk link. This interface will permanently become nontrunk interface regardless the other end is trunk or nontrunk link. With this in mind, if one port is configured with switchport mode access and other end port happens to be configured with switchport mode dynamic auto or switchport mode dynamic desirable
    Continue reading