New blog section – Certification

I don’t know how many of my blog visitors had the curiosity to visit the About section to read something about me. If some of you did read that section, then you already know that I have several certifications from Cisco and other vendors and I’m on my way to CCIE. A long road with a slow progress due to my busy professional life.

These being said, I want to announce a new section of my blog called “Certification”. In this section I will discuss only about certifications and related topics like training providers, exam scenarios and tasks, recommended approach and so on. I will try to help engineers on the same path as me and, why not, ask for help when I have a blocking point.

I have some years of network engineering field experience, I attended some exams and for a while I’m preparing for the CCIE R&S exam, so I think I can do a good job in this section. Compared to other sections the technical parts discussed here will be more oriented to exams, and not real networking challenges.

I hope my experience together with your contribution with comments and suggestions to make this section interesting.

Last words. If you hope to find here braindumps or materials that violate the NDA (no matter if is Cisco or other vendor), then you are in the wrong place.

Cisco Easy VPN Router-to-Router

Cisco Easy VPN is not a new technology. Actually it is pretty old, but still used by many companies or people to connect remote site / remote workers to headquarter.

A few days ago I was looking to connect a remote site in a simple way but still secure and a colleagues suggested me to use Easy VPN. It supposed to be a simple configuration and it was after solving all issues that came into play.

First of all, I needed an Easy VPN Router(client) – to – Router(server). The other method is some client (PC) with software connection to Router / PIX / ASA / VPN Concentrator (Server). Something like this:


The idea is that behind the Client router, I will have a group of people who need to connect to the headquarter, so I don’t want each of them to use personal VPN connections. In search of possible configurations, I’ve found this Cisco configuration example. The only issue in that document is that the Easy VPN tunnel needs manual intervention to connect, which I want to avoid.

For those who need a quick and secure Easy VPN connection here is my sample configuration:


!! We define a new AAA model for authentication and authorization
!! for remote VPN clients
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
!! Generic username and password
username cisco password 0 cisco123
!! We configure a crypto isakmp policy. The number and encryption are your choice
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!! We add a key and ! Important ! “save-password” command
!! “Save-password” allow client to save the password in an automatic vpn connection
!! scenario
crypto isakmp client configuration group vpngrp
key cisco123
!! The IPSec transform set; You can pick a stronger one like esp-aes 256, but
!! for this example will work fine
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!! We get everything together in a crypto dynamic map
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!! Add the crypto map on the WAN interface or where your VPN tunnels will terminate
interface x/y
description WAN
crypto map clientmap


!! On the remote side we define an Easy VPN client
!! connect auto – means it will connect automatically
!! network-extension – connection between remote side LAN and server LAN will
!! not need NAT
!! peer is the VPN server IP address
!! xauth mode has to be local for auto connection without manual intervention
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
username cisco password cisco123
xauth userid mode local
!! Apply the already defined crypto to WAN interface
!! This will be automatically the Outside interface, even if you don’t
!! add the “outside” keyword at the end of the command
interface x/y
description WAN
crypto ipsec client ezvpn ez
!! Apply it on ALL L3 LAN interfaces that needs to communicate over VPN
!! more, you need to specifiy the keyword “inside”
interface x/y
description ANY L3 LAN interface (SVI / Physical)
crypto ipsec client ezvpn ez inside

To test if your tunnel is up, issue the following command on the EasyVPN client router

#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : TEST
Inside interface list: GigabitEthernet0/0, GigabitEthernet0/1
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Save Password: Allowed
Current EzVPN Peer:

As you can see the Current State shows IPSEC_ACTIVE

Other commands that will help you see if everything is ok (this can be run on client or server side)
#show crypto isakmp sa
! Look for the “state” (it has to be QM_IDLE) and
! “status” (has to be ACTIVE)

#show crypto ipsec sa
! Look for #pkts encaps and #pkts decaps; the decimal values should be close

I hope this will help you. If anything is unclear please ask in comments.


Cisco IOS release naming

Most probably you already know this, but for those who are interested, here is a list of the letter definitions for Cisco IOS release trains. In more human terms, if you have loaded an IOS image like c2900-universalk9-mz.SPA.150-1.M5.bin, what those letters (in this case SPA) mean:

  • A = Aggregation/Access Server/Dial technology
  • B = Broadband
  • C = Core routers (11.1CA, 11.1CT, 11.1CC)
  • D = xDSL technology
  • E = Enterprise feature set
  • F = Feature Specific enhancements (11.2F)
  • G = Gigabit Switch Routers (GSR)
  • H = SDH/SONET technology (11.3HA)
  • J = Wireless Networking technology (Aironet)
  • M = Mobile (Restricted to Mobile Wireless BU usage and further reserved for Mainline)
  • N = Voice, Multimedia, Conference (11.3NA)
  • P = Platform features (11.2P)
  • R = Reserved for ROMMON reference
  • S = Service Provider
  • T = Reserved for Consolidated Technology Train
  • W = LAN Switching/Layer 2 routing
  • X = A short lived, one-time release (12.0XA)
  • Y = A short-lived, one-time release (when Xs are exhausted)
  • Z = A short-lived, one-time release (reserved if Ys are exhausted)

Additional information can be found here.

Cisco QoS at-a-glance

Stephan, a  colleague of mine,  found the following documents digging through multiple pages of The documents present a nice view of different QoS approaches and the most  important information. Somehow like “cheatsheets”. They were helpful to us when need to implement QoS in some parts of the network that we administer. I hope they will help you as well.

Maybe you’re wondering why I’m adding them here, since the documents are already somewhere in As you probably know, Cisco has constantly changing their website in the last months and a lot of documentation is misplaced in the sitemap. We already had problems finding all links, so I said why not share it here as they are already public made by Cisco.

You’ll find a Download button under each document, for PDF version and at the end of this post there is a Link to download all documents in an archive. If somebody needs only one document and has a poor Internet connection why to force them to download the full archive.

Cisco's Campus QoS Design
Cisco – Campus QoS Design

Cisco's Branch QoS Design
Cisco – Branch QoS Design

Cisco IPv6 QoS

Cisco – IPv6 QoS

 Cisco's QoS Best Practices

Cisco – QoS Best Practices

Cisco QoS Design for IPsec VPNs

Cisco – QoS Design for IPsec VPNs

Cisco's QoS Design For MPLS VPN Service Providers

Cisco – QoS Design for MPLS VPN Service Providers

QoS Strategy for DoS Worm Attack Mitigation

Cisco – Scavenger class – QoS Strategy for DoS Worm Attack

Cisco's QoS Design for MPLS VPN Subscribers

Cisco – QoS Design for MPLS VPN Subscribers

QoS Baseline

Cisco – QoS-Baseline

Cisco's WAN QoS Design

Cisco – WAN QoS Design

As said in the beginning, if you’d prefer, you download all QoS graphs in one archive.

Let me know your opinions on the above approach on QoS from Cisco. Is is accurate? Do you apply them in your organization weather for Campus, WAN, VPN or even Security?