How to Trick your VPC into Acting Like a Service Provider

So how do you solve the issue of routing traffic through a remote VPC to reach another remote network?

Picture the following example, you have your VPC and you have a business partner with their own VPC. You successfully have a VPC peering configured, bidirectional communication, and life is good:

Now what if behind their VPC they had an on-premise network not hosted with AWS that you need to reach as well? Simple right, just have your VPC traffic route to their VPC, and have their VPC route your traffic to their on-premise network via a few static routes:

This is where you'll run into an issue, by default Amazon does not allow traffic not originated from within a VPC to be routed out of its own network. Essentially you're not allowed to use a VPC as transit network (i.e. routing traffic through a BGP AS). Which is understandable as the last thing Amazon need is customers causing routing loops within their cloud environment. To get around this issue, you'll want to use what's called a Transit VPC.

This VPC functions as a hub for both VPC's and outside networks to route traffic to and from each other. Two Cisco ISR's (1000v) function as the back bone for this VPC. These two virtual routers are used for VPN termination, routing, and high availability. From what I understand these Cisco routers have most of the traditional Cisco IOS XE feature set. So maybe you can get creative with using DMVPN, FlexVPN, etc. for additionally dynamic capabilities.

Like anything Cisco though, you do have to pay a premium for this service. However it appears that this is not only the best choice but probably the easiest to implement.

Have you ran into crazy routing scenarios you've had to get around in a cloud or hybrid environment? Would love to hear your war stories and solutions in the comments below:

AWS Shared Responsibility

While AWS is great for quickly provisioning servers and networks without worrying about the back end hardware, there are a few caveats to be aware of. A big one is who's responsible for what in Amazon's Cloud environment? Not really meant to be loaded question, it's important to understand that Amazon can not be held liable for your everything in your custom cloud architecture.

Below are some items you are responsible for within their infrastructure:

• Network access to and from your AWS instances
• Logging
• Patching
• Backups
• Virus Protection of instances

Amazon is responsible for items such as:

• Physical security
• Physical servers, storage, and networking components
• Disk destruction
• Security audites
• DDOS protection (Free Kindle AWS White Paper Below) 

Neither list above is comprehensive but does give you an idea on what you the customer will need to protect on your own. Even something such as login access to your instances is your responsibility. If you happen to loose your private key to an instance, there's not much Amazon can do for you as an example (easy to resolve that problem I know). For the most part if it's anything that's physical or layer 2, you can probably bet that Amazon handles that portion of the cloud.

Hopes this helps, anything else I should add to the list above? Let me know in the comment section below!

Initial Strides with Amazon Web Services (AWS)

I've finished my work provided LMS video series last week and now I'm powering through CBT Nuggets at a fairly fast clip. I estimate that within two weeks I'll be complete with the Nuggets training as well. What's great about learning Cloud is how quick you can ramp up a lab environment as mentioned in my last post. It's really supercharging the time it usually takes to pick up a new technical skill.


To be honest, I'm most excited about the Udemy course as I hear it's very hands on and closely relates to the exam itself. That's also the main reason that I'm saving that piece for last. But using books on Safari always allows me to deep dive into the technology at hand which is why it's included in my study plan.

This is all perfect timing as I'm getting thrown into a few interesting AWS projects. One is how to get around some of the AWS networking limitations. We're needing to communicate between potentially dozens if not hundreds of VPC's due to our engineering testing. How do we accomplish this at scale? How do we limit the time for deployment? How can we make it simple to implement along with using our own proprietary instances? There's a lot of questions to be solved for and this isn't including business aspect of things such as cost (of course) and personnel resource requirements.

VPC Example:

I would love to hear other opinions on rather you think the "Cloud" is hear to stay? If you think so, what are you doing to prepare for it? Talk to you all soon

Beginning AWS Studies

As our company begins to swiftly move services to the cloud, specifically AWS I'm now in a great position to pick up this technology. This will require a paradigm shift on my part, not just on learning the tech but also how I learn and study this info as well.

Before with traditional networking, you could pick up a book or 3, setup a small scale lab if necessary, and be on your way. Since Cloud technology moves so quickly, reading books that are only 2 years old can be out of date already! Not only that but there's so much to cloud services you need a very good grasp on what tools are available to you. The best way is to of course setup your own account with the cloud service and play around with everything available. This is a nice change as in the past with labs, it took dozens of hours planning, purchasing, and setting up hardware before you could even begin labbing.

My AWS study plans will focus on the AWS Certified Solutions Architect - Associate cert. This seems to be the initial starting point everyone recommends. I'm not sure how deep I need to go yet with this material but it's for sure a mile wide the material that I need to learn. Once this cert is completed, I'm most likely going to take a look at the AWS Certified Advanced Networking specialty exam as it makes the most sense to me. For the first exam I plan on using the current studying plan in this order:

• Internal company LMS (Learning Management System) web learning for the AWS course: This will provide me with a very high level overview, I'll begin basic labs as well
• CBTNuggets AWS Associate videos: I'll begin taking notes at this point before moving on. Still debating on older 2013 videos that they have, may be very outdated at this point.
• Safari Books - AWS Certified Solutions Architect Official Study Guide: Associate Exam: This will perform as my deep dive (hopefully) into the AWS material. I will continue note taking along as implementing flashcards using Anki at this point
• Udemy (CloudGuru) course: I'll then prep for the exam itself by going through this course if affordable and available to finish up any lingering topics. I'll also deep dive into labs during this time.

Looking into the future...Cloud

For the past year our family have experienced a lot of new things, challenges, and overall growth. We have a new addition and now we're a family of three! You really do learn to survive on less hours of sleep, very rarely do I sleep for my than 6 hours a day now, less for my wife unfortunately.  Even with that considered we wouldn't have it any other way.

I'm still at it here and there with Python scripting but my big focus for the last year was completing the Cisco Certified Design Professional (CCDP). This exam was absolutely tough and I barely squeaked by but I made it through. Even though I'm not playing much with Cisco at the moment, the concepts hold true for many other vendors as well. The most difficult topics were new tech that I just don't get to play with along with security. Be sure you understand Cisco ACI at a high level and Cisco security IDS best practice designs at a low level.

Next up for me is most likely Sec+ but I've also been taking a hard look at cloud infrastrucure. Our enterprise is heavily focused on moving as much as we can to cloud or at the very least, a hybrid infrastructure. Not much as landed in our Networking team's laps but it's coming down the line fast. Most likely I'll dive into AWS to get a good sense on what it's all about. Because I'll be honest physically racking less equipment is not anything I'll ever complain about!

Stay tuned for further updates and don't forget to check out my Github to the right -->

2016 Recap

A lot has happened this year, including a employer change, new family addition, and new certifications. The employer I work for now has a huge Juniper presense which allowed me to grow my CLI skills with a different vendor besides just Cisco. In order to take full advantage of this change, I went ahead and knocked out a few of Juniper's lower level certifications. I took and passed both the JNCIA and JNCIS-ENT this past summer to help vet my new learned skillset.

Book I used for the JNCIA and JNCIS-ENT Exam:

Along with Juniper we're also rolling out our own NGFW's that rivals many competitors such as Palo Alto. Not only have I had an opportunity to get more hands on experience with our firewalls, I have the chance to administer Juniper SRX's and Palo Alto's which has been very challenging but engaging.

In my past roles I never had much of a chance to deal with network load balancers which always bugged me. While I played around with Cisco ACE's (now extinct) I didn't find them very intuitive with a weird learning curve. This year I've had the chance to deploy and implement virtual F5's using their LTM and GSLB modules. I only touched the GSLB (DNS Load Balancing) very lightly but I did get some great experience with LTM (De-facto Server Load Balancing).

To end the year off, our first little one arrived, which meant that I didn't want to dig to deep into the certification world right now. Instead I'm now diving into Python so that I can script some of the repeatable stuff I do on a daily, weekly, or monthly basis. I'm very noobish but with a help of a fellow colleague, we're starting to make some useful stuff.

Check out my github link to the right ---> I'll be keeping this updated as time goes on and my skill level increases. Hope everyone has a happy holidays, I'm excited for what the next year will bring!

Digging into IP Packets

For the next 6 to 12 months I'm going to take a departure from focusing solely on certifications. I want to gain a better understanding of the underlying protocols that encompass my career daily. This will mean deep diving into the TCP/IP protocol suite. Not only do I want to understand what a general IPv4/IPv6 looks like, I want to learn how to correlate trends based on the IP packets that traverse my network.

Alcantel-lucent Ocean Fiber Cable Run

This will help immensely in troubleshooting security and general network connectivity issues. Not only that, but it can be used to stop certain teams from automatically blaming particular incidents on the network. Through the use of packet capture tools that show exactly what's happening between two hosts. There can be no if, and, or buts about whose fault it is for a particular problem using concrete logs.

Not that a packet capture will be used for every incident but it's good to have "big guns" that you can pull out of your arsenal every now and again. With that said, pulling out a "big gun" is no use if you have no clue on how to operate the weapon. Hence why I've been culling over multiple WireShark and huge TCP/IP books to help get me started. Having a strong foundation is important for just about any goal in life. We all know fundamental learning can become boring and repetitive quickly because typically it's not the cool bleeding edge stuff but it's VERY important. Mastery comes from making tasks second nature which requires constant repetition.

Just like a race car driver has to learn how to drive a fast car slow first, the same can be said with networking. We must learn how to configure and design small elements of a particular portion of a network first before moving on to deploying networks that can properly scale along with become resilient.

My Packet Capture read list:

Practical Packet Analysis

Wireshark Network Analysis (Second Edition)

Routing TCP/IP, Volume 1 (2nd Edition)

Cisco CCDA Passed!

I just left the test center with a passing score for the Cisco CCDA exam. Overall the exam was a lot more fair than what was described on the many internet forums I attend. There were a handful of questions that def. wasn't mentioned in the FLG\OCG.

I think part of the reason is that the FLG\OCG books are a little long in the tooth. For example Cisco NAC is mentioned all over the CCDA books, but nothing is mentioned about Cisco ISE. The same thing for the Cisco SONA framework, good stuff to know; at least at a high-level.

I'm taking a break from certs for a while. I want to do some independent research on the TCP/IP stack and deep dive into packet inspection. After that I'll most likely read through some CCIE material for a refresher on all of those routing protocols.

CCDA 200-310 Official Cert Guide

CCDA Test Scheduled

After a deep dive review of all CCDAtopics, I finally scheduled the test for next week. As part of the review I completely read through the Campus Network for High Availability design guide along with skimming through the Cisco SAFE reference guide. Looking up a few Cisco SONA white papers didn't hurt either.

By far my weakest topic is security, it always has been for me. But I feel a lot more confident about my network security knowledge at a high level than ever before. Going in to this exam I didn't expect to gain as much design knowledge as I did considering that this is supposed to be an Associate level cert. I was surprised by how I view my own networking projects with my employer compared to this time next year.

Once I get through this cert, I plan on taking a break from Cisco centric certification for at least a few months. I'm plan to deep dive into WireShark along with reading a book or two on specifically the TCP protocol. My goal is to be well rounded with the fundamentals before deep diving into a specific area of networking. This will allow me to be more versatile and more open to what possibilities are out their with network implementation, design and configuration.

Almost Ready for the CCDA Test....I think

The CCDA OCG book was polished off a few weeks ago. I haven't been able to schedule the exam yet due to projects and work travel. I hear that this test is a beast so I went well beyond just the Cisco press books. The design certs isn't about just knowing the technical aspects within the CLI. In fact I only recall a few sections that even mentions or references a CLI command. It's meant to show you how to gather business requirements, plan, implement, and operate within the business constraints given. At least on a very high level; the knowledge I've learned over the last 8 months has already helped me with many of the projects I'm a part of.

CCDA DESGN OCG Progress

Typical world of IT to make everything an acronym. So many that there are multiple acronyms that are the same but mean something different depending on what you're referring to (i.e. RFC).

Anyways, I'm slowly making my way through the OCG book, finishing the small section on Data Center. If I recall the FLG book never really hit this topic at all so I learned quite a few cool new things. Especially on the virtualization front which lightly touched on Virtual Device Contexts and access layer switching within the virtual environment.

I'm hitting every practice quiz, study reference, and additional study topics that the book is offering me. This will give me the right amount of repetition I need to be ready for the exam itself. Honestly I felt like I should of studied for the CCNP R/S this way. At my current gig, we didn't touch routing too much besides DMVPN. So a lot of the intricate routing theory I'm starting to loose.

Cisco DESGN Foundations Learning Guide Completed

Last week I've finished the CCDA FLG book for the DESGN exam. The last chapter discussed wireless design and architecture at a very high level. There were tons of things I picked up from this chapter that helped me understand my employers wireless environment immediately. Mainly the Mobility and RF Group sections. We have a wireless refresh project coming up shortly (with the help of a vendor) and this will help me immensely.


Now I'm hitting the DESGN Official Certification Guide book along with taking copious amount of notes, making flash cards, and hitting the multiple choice questions hard. I'm not exactly sure when I'll take this exam this year but it should be before the end of summer. As mentioned before, I'm not exactly in a rush right now coming off fresh from the CCNP about four months ago.

After the CCDA, next up is CCDP, and then maybe...just maybe a CCIE level certification. Experience trumps all though so after the CCDP I may wait until my knowledge is and skill set is at a point where a CCIE certification makes sense. SDN and programmable networks are very intriguing to me but my gut keeps telling me that I need a really strong foundation before diving in to that.

Cisco SAFE

Security is my biggest weak point period. I'm currently reading through the CCDA security chapters in the FLG book. I'm also downloading and book marking all of the references and white papers from these chapters I can get my hands on!

I probably have 100 of pages of reading to do on the Cisco SAFE (SCF) security framework a head of me. But I need to have a better holistic view of network security. I get asked network security questions quite often in my job role. Even today my employers CIO had a security question that I foolishly couldn't answer because I'm not well versed with the firewall policies in our environment. I will be changing this,

Enterprise Internet Edge Design

As I finish chapter 5 (Designing Remote Connectivity) in the Cisco CCDA FLG book, it provided a list of great references to gain additional understanding. I read through Cisco's Ethernet MAN and WAN design guide. Now I'm going through Cisco's guide on enterprise internet edge design.

For the most part the guide focuses on securing the edge within the 5 different modules shown above. This may be overkill for the CCDA but my intent is to take in the material slowly and thoroughly.

CCDA Studies

I've been digging into network design specifically for the last two months now. I've started and completed the Top-Down Network Design book which was a a great primer to the certification material.

I'm now working through the CCDA FLG book which is really helping nail down the topics for the DEGN exam. I'm taking my time for this exam since I'm still fresh off of the CCNP R&S certification. Which is a nice change of pace since I wanted to knock out the CCNP cert before the new tracks started this year.

After the FLG book I'll finally hit the OCG book and then maybe finally prep for the exam itself. I'm on the fence on getting the CCDP Arch books and/or CCNA Security books for exam prep but we shall see. Along the way I'm going to constantly be hitting up the Cisco SRND documentations to so that I fully understand the topics I'm learning.

Design is very interesting to me and something I've wanted to do but was always scared of. Hopefully over the next few months I can flesh out my blog more with the topics I've been learning. It's been years since I've really talked about my progress due to the countless other blogs out there.

CCNP Passed!

As of October 28th 2014 I'm officially a CCNP! After my ROUTE exam I jumped right into the SWITCH material. SWITCH was a lot easier for me to digest as I work with Layer 2/3 switches almost on a daily basis. This exam alone helped my day to day tasks tremendously along with giving me the confidence I need to tackle a few data center projects currently going on. The SWITCH exam took me 3-4 months to complete.

Today I finished up my CCNPby taking the TSHOOT exam, which was actually pretty fun. This is basically a lab simulation that tests your troubleshooting skills using CCNP level knowledge. If you aced ROUTE and SWITCH than this exam should be a breeze for you. I studied for about 2 months for this exam. I reviewed ROUTE topics since there was the 4 month gap between diving into the routing material.

With the SDN craziness on the way, I'm going to spend the next 3 months digging into Python. This will also give me a much needed break from certifications. After that I'm going to start hitting the Cisco designs certs for the rest of the year. I acknowledge that my design skillset is my biggest weakness. While I do not expect to walk away being able to take on a Network Architect type position, I do believe this will give me the foundation I need to head in that direction.

CCNP Route Test: Yes it's Hard, and Yes I Passed (Barely)

I've completed the CCNP Route exam yesterday. Yes it's just as difficult as you think, but not impossible. I highly recommend the CCNP Simplified series along with their 101 labs, you truly do have to understand why each routing protocol works the way it does.

After passing this exam, I now understand why there is the CCIE. I simply had more questions rather than answers as I progressed through my study material.

Next up is the SWITCH exam, I previewed the book material I will use which is the Cisco OCG and the CCNP Simplified series. I'm at a lost about what I'm going to do for setting up my switching lab. Setting up a routing lab is simple, just use GNS3 but of course GNS3 doesn't support switching yet in their software.

I have one lonely Cisco 3550 at home from my CCNP: Voice studying. I think I'm going to bring my 3550 to work and borrow whatever layer 3/2 switches I can find to setup a lab. Either that or Ebay but I'm trying to avoid that if possible. I'm still on the fence on rather or not I should sell the 3-4 routers sitting in my rack doing nothing, only time will tell.

I plan to contribute to this blog more which I've abandoned for quite a while due to life in general.

Still Routing Around

I've had a bunch of life changes this year but I'm still here and getting back into the swing of things. I've been primary planning, designing, and implementing LAN technologies the past 18 months. SDN is really starting to take off and I want to ride on the coat tails of it along with data center design.

I'm back to studying CCNP R&S again and it's a lot easier to dig into it with the network experience I've gained compared to my first attempt 4 years ago. I'm only about 1/4th through the FLG Routebook but I plan on keeping a steady past. Network projects and after hours maintenance is a huge killer on persistence along with general life.

My immediate goals have changed a lot but the end goal is to own a business of my own of some sort. I've tried a lot of difference things and experienced a lot of different failures but I plan on pushing on and just work smarter and harder.

Local Route Group is for Winners

There's still a lot for me to learn when it comes to digit manipulation and simplifying dial plans. Last week I read up on local route groups along with practicing it in my lab. It vastly cuts down on the amount of partitions and CSS's needed. As to not copyright this link provides a better explanation:

Local Route Groups

This is something I may keep in my back pocket when we get around to changing the dial-plan configuration on our CUCM.

I have a feeling once I get to CIPT2 and Globalization it may change the way I ever design a dial-plan from scratch.

Voice Lab Fully Functional

It took a lot longer than expected due to life in general; but my voice lab is fully functional. With the current career shift I'll probably be finishing the CIPT1 test and then going back to Routing and Switching. Then after that I'll be moving towards the design certs as my role is now focused on network implementation and design.

I rolled out a few new networks already with my team which includes planning, designing, and implementation. This includes VoIP, wireless, and security so I've been learning a ton. I'm filling all the gaps that's been missing since I was thrown into mainly VoIP from the start.

Anyways I knocked out a lot today:

1. Configured Extension Mobility on my CUCM Servers
2. Created Extension Mobility profiles and logged the users in
3. Re-provisioned HQ PRI to use only 3 channels
4. Configured Partitions and CSS's
5. Configured Route Groups, Lists, and Patterns for both the HQ and Branch site
6. Created Translation Patterns for DID's
7. Configured correct Dial-Peers on PSTN router and Branch Router (HQ Router uses MGCP)
8. Created Corporate GPO on Domain Controller (wanted to relax the default security settings)

Here's a picture of the route patterns I created:

Here's a picture of me testing out a call using a DID: