Because I Said So!
— What you should avoid saying to your kids unless you don’t mind them accepting ideas and beliefs based on some authority’s word rather than for valid reasons. If they accept the arbitrary, it’s all down hill from there. You’ve opened the door for them to believe anything no matter how silly. They’ll probably become Republicans or Democrats and it’ll be all your fault.

Word Macro - Find lines with "fluong" and underline to end-of-line

I wrote a Word VBA macro to do some stuff I was too lazy to do by hand. I wanted to underline lines which start with my username. Now finding and underlining text is not a big deal, but extending the selection after finding it complicates matters.

This is probably not the best way to do things but it’s a good start for me. If it helps you, send me a tweet and let me know @francisluong.

http://codetidy.com/paste/embed/5853

Sub underline_fluong()
'
' underline_fluong Macro
' Find instances of "fluong" which are not underlined and:
'  - extend selection to end of line`
'  - underline it
'

Dim iCount As Integer
Dim searchText As String
searchText = "fluong"

Selection.HomeKey Unit:=wdStory

With Selection.Find
    .ClearFormatting
    .Forward = True
    .Wrap = wdFindContinue
    .Text = searchText
    .Font.Underline = wdUnderlineNone
    .Execute
End With

Do While Selection.Find.Found = True And iCount < 1000

    iCount = iCount + 1

    Selection.HomeKey Unit:=wdStory
    Selection.Find.Execute

    If Selection.Find.Found Then
        Selection.EndOf Unit:=wdLine, Extend:=wdExtend
        Selection.Font.Underline = wdUnderlineSingle

        With Selection.Find
            .ClearFormatting
            .Forward = True
            .Wrap = wdFindContinue
            .Text = searchText
            .Font.Underline = wdUnderlineNone
        End With
    End If
Loop

End Sub

New Practices and Habits

I have been playing with putting different things into practice in the routines of my weeks. Here’s some of what is going on.

Mornings

I no longer have breakfast first thing. I now require that I earn my breakfast through some sort of action: walk, workout, Egoscue E-cises, etc. I believe this is having a beneficial effect on the way my body deals with hunger and blood sugar.

Bass or Excercise

Each day, I will either practice the bass guitar or do a workout. This lets me work on both and ensures that I have time for both.

Clear Calendar Invites Daily

This one is not one I have put into practice yet. But I sometimes miss invites for meetings because they get lost in the mess of e-mail. The iPhone provides a nice feature of collecting calendar meeting invites in a special inbox so I have decided I will start a new morning routine of clearing out that inbox.

A Particularly Truthful Paragraph

> “Of course obstacles exist. But part of life’s purpose is removing obstacles, or at least minimizing their impact. The worst obstacles are not found in nature, but in the irrational or erroneous things human beings do to each other—and to themselves. (For evidence, read world history and examine today’s headlines.) This is one reason why we need a field of psychology, and (more fundamentally) philosophy, and is why human beings eschew these fields at their peril.” http://drhurd.com/index.php/Daily-Dose-of-Reason/Psychology-Self-Improvement/Got-Serenity.html

This one really hits home for me. I’ve been interested in psychology and philosophy a long time and I think I really didn’t notice why until I read this.

Node-sets and relational expressions | Workflow Sherpas

  • “if any of the nodes in the node-set have a value that causes the relational expression to evaluate to true then the answer is true”
    • “if there are no nodes, then there are no nodes that can cause the operator to evaluate to true, so the answer is always false!”

Sea Lions at La Jolla Cove

I did it! #JNCIE-SP #1999! (and 5 tips on how to prepare for it)

The wait is over. I heard today that I passed the JNCIE-SP exam. Hooray!

I expect that I will get this question a lot so I’ll do my best to answer it here.

Franco, what tips can you share about how to prepare for this exam?

  1. Read the Exam Objectives. Sounds obvious but this is your roadmap for knowing what topics are covered for the exam. Print it. Pin it up. Read it regularly.

  2. Take the JNCIE-SP Bootcamp. When I first took this class, I wasn’t able to keep up with the material but I was able to get a taste of some of the topics that are covered and how to interpret the wording. Over time, I was able to go into the labs in detail at my own pace. If you’re flush with cash, consider taking it before you begin your prep and take the bootcamp again just before you sit for the exam. Above all else, remember that the Bootcamp doesn’t cover 100% of what you need to know but it’s most of the way there and illustrates some of the complex details.

  3. Read some of my previous blog posts. The stuff I’ve written covers some of the less obvious details that are easy to overlook but they are best as a supplement to the Bootcamp material. Other people have also documented similar things that have helped them most during the exam. Use what you can, but remember to bring along your grain of salt and that the details may change with new versions of Junos.

  4. Practice more than Study. You will either need a home lab or you will need to book time on Junosphere to practice configuration and troubleshooting. Once you’ve taken the JNCIE-SP bootcamp, you have a great springboard for performing deep exploration and making modifications to cover the things you think are lacking. Don’t be afraid to go into the weeds. Studying is good but it should supplement your practice and not the other way around. You can’t get good at the things you need to get good at to pass by spending most of your time reading and taking notes.

  5. Fail the Exam. At $1k per attempt, this one is expensive but ultimately there is no substitute for having the experience of the real test itself. When you have gotten pretty far along with your practice, take the exam and see how you do. Keep good notes on what you observed, what was confusing, and what you want to do better next time. Any configuration that really stumped you needs to be explored in depth until you are satisfied that you have a good way to solve it. Use your experience with the exam to build more complex exercises for yourself in your practice.

These are my tips. I hope they serve you well.

-Franco

JUNOS Scripting Tip: How To Get The RPC Equivalent Command For A JUNOS CLI Command

To get the RPC command for “show version”, pipe output to “| display xml rpc”

 lab@aristotle-re0> show version | display xml rpc
 <rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.3R2/junos">
     <rpc>
         <get-software-information>
         </get-software-information>
     </rpc>
     <cli>
         <banner></banner>
     </cli>
 </rpc-reply>

This yields “get-software-information”. Easy!

#JNCIE - One Practice Strategy: Configure It Quickly, Fix It Slowly

Studying and practicing for your JNCIE examination means that you have a couple of conflicting things you need to work on. You need to practice for your speed of execution, but you also need to practice looking at outputs and developing your intuitive sense of where to look for problems when your protocols aren’t coming up or traffic is not flowing.

It can be hard to imagine the many different ways a protocol can break but the good news is you have an ally in this department: your lousy memory and your bad typing skills! :)

When I was sitting for my exam yesterday, I was missing a bit of configuration for a VPN I was configuring and the output was really a bit mystifying. It took me a while to sort it out. And it occurred to me that a person could really use their configuration mistakes to their own advantage while doing practice runs by patiently troubleshooting them without reaching for the books and looking things up right away.

So here’s the strategy I came up with:

  1. Pick a technology you want to work on from the Exam Objectives. The more convoluted the better. Try to find ways to “tie one hand behind your back”, for instance by adding a restriction like VPN route-reflectors that don’t have MPLS running, or IGP total stub areas that require an aggregate route.

  2. Configure the scenario as quickly as you can with as little configuration as possible. Don’t make mistakes on purpose but do rush it. Test with pings from the CE devices (end-to-end) if possible.

  3. Assuming everything didn’t come up, start troubleshooting and really linger over the show commands. Do this especially when you have just found the problem looking at the before and after and seeing how the outputs are different.

  4. Assuming everything did come up. You can still try to break it by removing an ingredient and comparing what the outputs look like while it is broken. (e.g. remove an interface from “protocols mpls” or remove an address family from the interface).

  5. Make notes to yourself on what you learned in Evernote.

This will let you practice implementing things with speed while making an opportunity to practice spotting problems in your outputs when the network has missing or invalid configs.

photo credit: wifebot

#JNCIE-SP: When Configuring Labeled Unicast Peers, Configure The Interface For MPLS First

Ran into an interesting situation with inter-provider VPNs.

When setting up the ASBR peering, I got the BGP setup before adding family mpls to the interface. And when I checked IBGP advertisements, I got this:

 lab@R3&gt; show route advertising-protocol bgp 172.27.255.1 

 inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden)
   Prefix                  Nexthop              MED     Lclpref    AS path
 * 95.100.255.2/32         Self                 1       100        60001 I

 inet.3: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
   Prefix                  Nexthop              MED     Lclpref    AS path
 * 95.100.255.2/32         Not advertised       1       100        60001 I

Uh Oh… “Not Advertised”… Let’s check to see what’s up.

lab@R3&gt; show route advertising-protocol bgp 172.27.255.1 extensive 

 inet.3: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

 * 95.100.255.2/32 (1 entry, 1 announced)
 BGP group internal type Internal
      BGP label allocation failure: family mpls not enabled on interface
      Nexthop: Not advertised
      Flags: Nexthop Change
      MED: 1
      Localpref: 100
      AS path: [3895077211] 60001 I

Hmmmm… That’s strange. I thought I enabled it…

 [edit interfaces ge-0/0/4]
 lab@R3# show 
 description "Connection to P-1";
 unit 0 {
     family inet {
         address 172.27.0.57/30;
     }
     family mpls;
 }

Yeah… there it is. What if I try to clear soft-in?

 lab@R3&gt; clear bgp neighbor 172.27.0.58 soft-inbound 

 inet.3: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

 * 95.100.255.2/32 (1 entry, 1 announced)
 BGP group internal type Internal
      BGP label allocation failure: family mpls not enabled on interface
      Nexthop: Not advertised
      Flags: Nexthop Change
      MED: 1
      Localpref: 100
      AS path: [3895077211] 60001 I

Nope… no go. Looks like we get to wait 30+ seconds. :)

 lab@R3&gt; clear bgp neighbor 172.27.0.58                                
 Cleared 1 connections

Now to go get some coffee…

 lab@R3&gt; show route advertising-protocol bgp 172.27.255.1 extensive    

 inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden)
 * 95.100.255.2/32 (1 entry, 1 announced)
 BGP group internal type Internal
      Nexthop: Self
      Flags: Nexthop Change
      MED: 1
      Localpref: 100
      AS path: [3895077211] 60001 I

 inet.3: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

 * 95.100.255.2/32 (1 entry, 1 announced)
 BGP group internal type Internal
      Route Label: 299952
      Nexthop: Self
      Flags: Nexthop Change
      MED: 1
      Localpref: 100
      AS path: [3895077211] 60001 I

That looks much better!

JNCIE-SP: For Class-of-Service Know Your Defaults and Be Ready to Do Some Conversion

My exam prep continues. I spent a bit of time sitting with class-of-service this weekend and I think I have a good strategy for CoS that I want to share.

Preparation

I’m going to assume that you’re studying how to configure all of the basics of class-of-service for the exam. This post won’t cover much about configuration. You should know how to create custom classifiers, rewrite rules, forwarding-classes, schedulers, and scheduler-maps. You should know how to apply these to your interfaces.

You need to study that. I’m not here to talk about it. Instead, I wanted to discuss a couple of points that are a bit more subtle and strategic in nature that I think I worked out this weekend.

Know your Defaults

If you’re not asked to implement any special forwarding classes, using the default forwarding classes, rewrite-rules, classifiers, and schedulers can be a huge time saver during the exam. The assumption here is that you’re doing some work at the edge to get the traffic marked into the specified forwarding classes. After you have it classified on the first box, you may have some additional work to do to make sure the rest of the network knows how to handle your classifications.

So here’s my big tip: Learn your defaults and be prepared to modify or over-configure them.

So what do I mean by “Learn Your Defaults”? Basically, you need to be able to answer these questions:

  • What forwarding-classes exist by default?
  • What classifiers and rewrite rules are configured by default?
  • What is the difference between classifiers: ipprec-default and ipprec-compatibility?
  • What schedulers are configured by default?
  • What show commands can I use to look at these if I forget?

Because it’s too lengthy to include here, I’ll just link to an Evernote Shard with a whole bunch of outputs and links to the documentation.

You can augment your bit of memorization work by using “show class-of-service…” commands available. This is good for me because I am lazy but there is another good reason to use the show command output. Because the details of what configuration is default may change as you go from one version of JUNOS to another, (and you may not be practicing on the exact version used on in the exam environment) knowing how to verify the defaults from show command outputs can save you in case of any differences between.

With any luck, the requirements will permit you to apply some default classifiers and rewrite rules to get you carried through your backbone.

Be Ready to Do Some Binary Conversion

You’re gonna need to be able to check your work.

Ping lets you set the ToS bit, which is handy to create DSCP or IP-Precedence marked traffic, but the value has to be specified as a decimal number. This may require math or a calculator or a bit of memorization. If you’re not verifying against IP header code points, you will have to do some temporary config changes with MF classifiers to test your configs. I don’t discuss that in detail here, just the IP ToS verification.

Knowing your basics for how ToS/IPPrec/DSCP are mapped is crucial knowledge here:

  • IP Precedence is a 3-bit value occupying the high order bits of the ToS field in the IP header. You can convert IP precedence to a decimal TOS value by multiplying by 32 (or 2^5) (e.g. 101 == 5 // 5*32 = 160).
  • DSCP is a 6-bit value occupying the high order bits of the ToS field in the IP header. Incidentally, this makes it mutually exclusive vs. IP Precendence. You can convert these to a decimal ToS value by converting to decimal and then multiplying by 4 (2^2). My brain is tired just thinking about this, so…

If you don’t want to do math at all, use the “Programmer” mode of the calculator app that comes with Windows to do the conversion. You still need to know that the value occupies the high order bits of an 8-bit field to do this. Pad IPPrec with 5 zeros to the right or DSCP with 2 zeroes to the right and you are good to go. Example follows for IP Precendence value 101:

binary

decimal

If you are going to verify with pings, be able to do this conversion quickly.

Exam Strategies

  1. Read the requirements in detail and correlate with any requirements from other sections that may impose restrictions on what methods you may use to achieve these goals.

  2. Classify at the ingress edge. To classify by behavior aggregate code-points, use a classifier. Only use multifield classification if it is required for classification based on other packet characteristics.

  3. If you need to police certain classes based on code-points, you’re already classified and you can simply use “from forwarding class”.

  4. If you have to add a firewall filter, including counters in the filter can be handy for verification.

  5. If possible, use the available “default” forwarding-classes, classifiers, and rewrite rules to your advantage and either over-configure them (meaning, explictly configure defaults) or know how to verify them quickly. Apply these to backbone interfaces. This will be handy if you need forwarding classes to be handled on every router in the backbone.

  6. Verify with pings through to your designated destinations, if you can. Use the calculator to work out ToS values if you need to. Use any firewall counters you have applied and “show interfaces queue” outputs. Test as many traffic classes as you can to verify you have the requirements met.

The Wording Will Get You

Something to watch out for: If the requirements tell you to preserve the “markings” through the network, I suppose you may not be able to achieve that using defaults. I’d ask the proctor on that note.

JNCIE-SP: IPv6 NLRIs over IPv4 BGP Peering When You're Not Using Mapped Addresses.

I previously posted about a way to configure BGP for IPv6 Unicast NLRI over an IPV4 session. Well, sometimes you don’t get to choose the address that the interface is running and it may be the ::1.2.3.4 ipv4-compatible style instead of the the ::ffff:mapped style.

This post is about how you get it to work.

In this scenario we have our PE, R1 and the CE, R3.

This is R1’s config.

 set interfaces ge-0/0/2 unit 0 family inet address 172.27.0.5/30
 set interfaces ge-0/0/2 unit 0 family inet6 address ::172.27.0.5/126
 set protocols bgp group ebgp type external
 set protocols bgp group ebgp family inet unicast
 set protocols bgp group ebgp family inet6 unicast
 set protocols bgp group ebgp peer-as 3
 set protocols bgp group ebgp neighbor 172.27.0.6

This is R3’s config

 set interfaces ge-0/0/2 unit 0 family inet address 172.27.0.5/30
 set interfaces ge-0/0/2 unit 0 family inet6 address ::172.27.0.5/126
 set protocols bgp group ebgp type external
 set protocols bgp group ebgp family inet unicast
 set protocols bgp group ebgp family inet6 unicast
 set protocols bgp group ebgp export export-ebgp
 set protocols bgp group ebgp peer-as 701
 set protocols bgp group ebgp neighbor 172.27.0.5
 set policy-options policy-statement export-ebgp term 1 from protocol aggregate
 set policy-options policy-statement export-ebgp term 1 from rib inet6.0
 set policy-options policy-statement export-ebgp term 1 from route-filter 3333:3333::/32 exact
 set policy-options policy-statement export-ebgp term 1 then accept

This is the sad situation on R1 and R3:

 lab@R1&gt; show bgp summary
 172.27.0.6                3         51         53       0       0       20:31 Establ
   inet.0: 0/0/0/0
   inet6.0: 0/0/0/0

 lab@R1&gt; show log messages | grep sanity
 Feb 13 17:15:01  R1 rpd[1131]: bgp_nexthop_sanity: peer 172.27.0.6 (External AS 3) next hop ::ffff:172.27.0.6 unexpectedly remote, ignoring routes in this update

 lab@R3&gt; show log messages | grep sanity
 Feb 13 21:46:27  R3 rpd[1135]: bgp_nexthop_sanity: peer 172.27.0.5 (External AS 701) next hop ::ffff:172.27.0.5 unexpectedly remote, ignoring routes in this update

Per standard, BGP sets the next-hop to it’s IPv4 address using ::ffff ipv4-mapped addressing. If we add “accept-remote-nexthop” R1’s BGP config, we get this:

 lab@R1# activate protocols bgp group ebgp accept-remote-nexthop

 [edit]
 lab@R1# commit and-quit
 commit complete
 Exiting configuration mode

 lab@R1&gt; show bgp summary
 172.27.0.6                3         58         61       0       0       23:06 Establ
   inet.0: 0/0/0/0
   inet6.0: 0/1/1/0

 lab@R1&gt; show route resolution unresolved
 Tree Index 1
 Tree Index 2
 Tree Index 3
 3333:3333::/32
         Protocol Nexthop: ::ffff:172.27.0.6
         Indirect nexthop: 0 -

We now see the route but it is not resolvable. So to fix it, we need to change the next hop to the inet6 address assigned to our peering interface. I’m going to fix both directions from R1’s policy since I am assuming no control over R3.

 ## the route we are advertising to R3 comes from IBGP, so we simply adjust the next-hop
 set policy-options policy-statement export-ebgp term reset-v6-nexthop from protocol bgp
 set policy-options policy-statement export-ebgp term reset-v6-nexthop from rib inet6.0
 set policy-options policy-statement export-ebgp term reset-v6-nexthop then next-hop ::172.27.0.5

 ## we do similar handing for routes received from R3
 set policy-options policy-statement import-ebgp from protocol bgp
 set policy-options policy-statement import-ebgp from rib inet6.0
 set policy-options policy-statement import-ebgp from next-hop ::ffff:172.27.0.6
 set policy-options policy-statement import-ebgp then next-hop ::172.27.0.6
 set policy-options policy-statement import-ebgp then accept

 ## apply policy configs to bgp
 set protocols bgp group ebgp import import-ebgp
 set protocols bgp group ebgp export export-ebgp

After we commit this config change on R1, we now have reachability both ways.

 lab@R1&gt; show bgp summary
 Groups: 2 Peers: 2 Down peers: 0
 Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
 inet.0                 0          0          0          0          0          0
 inet6.0                2          2          0          0          0          0
 Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
 10.255.1.32             701         94         97       0       0       41:04 Establ
   inet.0: 0/0/0/0
   inet6.0: 1/1/1/0
 172.27.0.6                3         67         71       0       0       27:15 Establ
   inet.0: 0/0/0/0
   inet6.0: 1/1/1/0

 lab@R1&gt; show route table inet6 3333:3333::/32

 inet6.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden)
 + = Active Route, - = Last Active, * = Both

 3333:3333::/32     *[BGP/170] 00:04:18, localpref 100, from 172.27.0.6
                       AS path: 3 I
                     &gt; to ::172.27.0.6 via ge-0/0/2.0

And R3.

 lab@R3&gt; show bgp summary
 Groups: 1 Peers: 1 Down peers: 0
 Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
 inet.0                 0          0          0          0          0          0
 inet6.0                1          1          0          0          0          0
 Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
 172.27.0.5              701         77         72       0       0       29:23 Establ
   inet.0: 0/0/0/0
   inet6.0: 1/1/1/0

 lab@R3&gt; show route protocol bgp

 inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)

 inet6.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
 + = Active Route, - = Last Active, * = Both

 4444:4444::/32     *[BGP/170] 00:02:55, localpref 100, from 172.27.0.5
                       AS path: 701 4 I
                     &gt; to ::172.27.0.5 via ge-0/0/1.0


 lab@R3&gt; show route protocol bgp detail

 inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)

 inet6.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
 4444:4444::/32 (1 entry, 1 announced)
         *BGP    Preference: 170/-101
                 Next hop type: Router, Next hop index: 587
                 Address: 0x934c688
                 Next-hop reference count: 2
                 Source: 172.27.0.5
                 Next hop: ::172.27.0.5 via ge-0/0/1.0, selected
                 State: 
                 Local AS:     3 Peer AS:   701
                 Age: 3:22
                 Task: BGP_701.172.27.0.5+52965
                 Announcement bits (1): 0-KRT
                 AS path: 701 4 I Aggregator: 4 10.255.1.34
                 Accepted
                 Localpref: 100
                 Router ID: 10.255.1.31

There you have it: accept-remote-nexthop, and some resetting of the next-hop works by either import or export policy.