How to NAT private IP address within a VPN

Continuing from the little lab I built up in the last post, where I looked at how to get Windows 7 running natively in UNetLab, I now am looking at how we can perform NAT inside of an IPSec tunnel.

I am using the following for this:

2x Windows 7 (Pro), with VLC, Putty, JRE and ASDM installed
2x IOSv Layer 2 switches (running 15.2)
2x ASAv (running 9.4(1))
1x IOSv (running 15.5) - AKA "Internet".

All of these are within UNetLab, which is, so far, coping nicely with just the 8GB ram that Fusion seems to allow, but I really should put it on my ESXi server. I have seen ways to get around the 8GB limit, but every time I try, Fusion says its unsupported, and drops it down to 32Kb. It's a challenge.

The topology looks like this (note not everything is started just yet):

The end goal is that we have a VPN between the two ASAs, with HQ performing NAT to mask the traffic inside the VPN tunnel. You may be asking "Why the hell would you ever need to do that?", and it's a very good question, really it's not something you'd have to do often, but there are those times when someone doesn't like RFC1918 addresses going across a VPN tunnel, or (more commonly) you need to VPN to another site that has overlapping internal subnets.

Basic IP addressing (all /24):

Interface	IP Address
DMZ-Server	10.1.1.10 (default gateway 10.1.1.254)
HQ Gi0/3	10.1.1.1
HQ Gi0/1	1.1.1.2
Internet Gi0/0	1.1.1.1
Internet Gi0/1	2.2.2.1
Client Gi0/1	2.2.2.2
Client Gi0/3	10.200.1.1
Client-PC	10.200.1.10 (default gateway 10.200.1.254)

HQ Switch configuration

Very basic, just one vlan, and a VIF:

Switch#sh vlan | i VLAN0011
11   VLAN0011                         active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
Switch#sh ip int bri | e unas
Interface              IP-Address      OK? Method Status                Protocol
Vlan11                 10.1.1.254      YES manual up                    up      

Switch#

Basic (HQ) ASA setup.

Below is enough to get us started, and onto ASDM from our DMZ-Server:

hostname HQ
!
interface GigabitEthernet0/1
 nameif Outside
 security-level 0
 ip address 1.1.1.2 255.255.255.0 
!
interface GigabitEthernet0/3
 nameif DMZ
 security-level 50
 ip address 10.1.1.1 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
route Outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 10.1.1.0 255.255.255.0 DMZ
!
ssh 1.1.1.1 255.255.255.255 Outside
ssh 10.1.1.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
!
username stuart password p60UDLdMNnbR8IQ. encrypted
!

The set-up for the Client ASA is not much different, and similarly, on the Client switch we have one VLAN (200), and a VIF of 10.200.1.254:

Switch#sh vlan | i VLAN0200  
200  VLAN0200                         active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
Switch#sh ip int bri | e unas
Interface              IP-Address      OK? Method Status                Protocol
Vlan200                10.200.1.254    YES manual up                    up      

Switch#

So far we should be able to ping from our Windows PCs to our ASAs:

Basic Internet access (our first NAT).

On the Internet router, we have a loopback interface with the IP address 8.8.8.8/32. We should be able to give ourselves access to this. It's working directly from the HQ ASA at the moment:

HQ# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
HQ# 

The first NAT rule "connects" the DMZ interface to the Outside interface:

HQ(config)# nat (DMZ,Outside) after-auto source dynamic any interface 
HQ(config)# 

If we follow it through, we can see that the rule will be placed last in the NAT rules table (after-auto). We match the DMZ and the Outside interfaces (our source network and the one we want to get to). We set a source of dynamic, meaning we can have more than one host behind this network, and we allow any source using the "any" keyword. Lastly we nat this through to the interface IP address given to our Outside interface.

I did have to use the command "fixup protocol icmp" in order to get the ping to work. The ASA will convert this into the following command:

HQ(config)# policy-map global_policy
HQ(config-pmap)# class inspection_default
HQ(config-pmap-c)# inspect icmp
HQ(config-pmap-c)# 

So now we also have "Internet" access (to a loopback on the Internet router):

Let's go ahead and set up the other side, and make sure that they can also ping the "Internet":

Client# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/30 ms
Client#conf t
Client(config)# policy-map global_policy
Client(config-pmap)# class  inspection_default
Client(config-pmap-c)# inspect icmp
Client(config-pmap-c)# exit
Client(config-pmap)#exit
Client(config)# nat (Inside,Outside) source  dynamic any interf
Client(config)# 

Great! Now the client should have access:

Now we can begin to create our VPN between the two sides.

Site-to-Site (L2L) IPSec VPN on Cisco ASAs

We start with a couple of network objects, and an access-list:

Client(config)# object network MyInsideNetwork
Client(config-network-object)# subnet 10.200.1.0 255.255.255.0
Client(config-network-object)# exit
Client(config)# object network TheirRemoteNetwork
Client(config-network-object)# subnet 10.1.1.0 255.255.255.0
Client(config-network-object)# exit
Client(config)# access-list Outside_cryptomap extended permit ip object MyInsideNetwork object TheirRemoteNetwork

Now we can start to define how we are going to talk to other peers:

Client(config)# nat (Inside,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Client(config)#crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
Client(config)# crypto ipsec ikev2 ipsec-proposal AES256
Client(config-ipsec-proposal)# protocol esp encryption aes-256
Client(config-ipsec-proposal)# protocol esp integrity sha-1 md5
Client(config-ipsec-proposal)# exi
Client(config)# crypto ikev2 policy 1 
Client(config-ikev2-policy)# encryption aes-256
Client(config-ikev2-policy)# integrity sha
Client(config-ikev2-policy)# group 2
Client(config-ikev2-policy)# prf sha
Client(config-ikev2-policy)# lifetime seconds 86400
Client(config-ikev2-policy)# exi
Client(config)# crypto ikev1 policy 10
Client(config-ikev1-policy)# authentication pre-share 
Client(config-ikev1-policy)# encryption aes-256 
Client(config-ikev1-policy)# hash sha
Client(config-ikev1-policy)# group 2
Client(config-ikev1-policy)# lifetime 86400
Client(config-ikev1-policy)# exi
Client(config)# crypto ikev2 enable Outside
Client(config)# crypto ikev1 enable Outside
Client(config)# 

Then we create the VPN, trying to keep it as generic as possible so that it is nice and easy to paste onto our other ASA:

Client(config)# crypto map Outside_map 1 match address Outside_cryptomap
Client(config)# crypto map Outside_map 1 set peer 1.1.1.2               
Client(config)# crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
Client(config)# crypto map Outside_map 1 set ikev2 ipsec-proposal AES256
Client(config)# crypto map Outside_map interface Outside               
Client(config)# group-policy MyPeer internal             
Client(config)# group-policy MyPeer attributes 
Client(config-group-policy)# vpn-tunnel-protocol ikev1 ikev2
Client(config-group-policy)# tunnel-group 1.1.1.2 type ipsec-l2l   
Client(config)# tunnel-group 1.1.1.2 general-attributes 
Client(config-tunnel-general)# default-group-policy MyPeer
Client(config-tunnel-general)# exi
Client(config)# tunnel-group 1.1.1.2 ipsec-attributes 
Client(config-tunnel-ipsec)# ikev1 pre-shared-key MyKey
Client(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key MyKey
INFO: You must configure ikev2 local-authentication pre-shared-key
      or certificate to complete authentication.
Client(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key MyKey
Client(config-tunnel-ipsec)# 

Moving on to the other (HQ) ASA, we can (with a minor edit here and there) paste in the same config:

HQ(config)# object network MyInsideNetwork
HQ(config-network-object)# subnet 10.1.1.0 255.255.255.0
HQ(config-network-object)# exit
HQ(config)# object network TheirRemoteNetwork
HQ(config-network-object)# subnet 10.200.1.0 255.255.255.0
HQ(config-network-object)# exit
HQ(config)# access-list Outside_cryptomap extended permit ip object MyInsideNetwork object TheirRemoteNetwork
HQ(config)# nat (Inside,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
HQ(config)# crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
HQ(config)# crypto ipsec ikev2 ipsec-proposal AES256
HQ(config-ipsec-proposal)# protocol esp encryption aes-256
HQ(config-ipsec-proposal)# protocol esp integrity sha-1 md5
HQ(config-ipsec-proposal)# exi
HQ(config)# crypto ikev2 policy 1 
HQ(config-ikev2-policy)# encryption aes-256
HQ(config-ikev2-policy)# integrity sha
HQ(config-ikev2-policy)# group 2
HQ(config-ikev2-policy)# prf sha
HQ(config-ikev2-policy)#  lifetime seconds 86400
HQ(config-ikev2-policy)# exi
HQ(config)# crypto ikev1 policy 10
HQ(config-ikev1-policy)# authentication pre-share 
HQ(config-ikev1-policy)# encryption aes-256 
HQ(config-ikev1-policy)# hash sha
HQ(config-ikev1-policy)# group 2
HQ(config-ikev1-policy)# lifetime 86400
HQ(config-ikev1-policy)# exi
HQ(config)# crypto ikev2 enable Outside
HQ(config)# crypto ikev1 enable Outside
HQ(config)# crypto map Outside_map 1 match address Outside_cryptomap
HQ(config)# crypto map Outside_map 1 set peer 2.2.2.2               
HQ(config)# crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
HQ(config)# crypto map Outside_map 1 set ikev2 ipsec-proposal AES256
HQ(config)# crypto map Outside_map interface Outside               
HQ(config)# group-policy MyPeer internal             
HQ(config)# group-policy MyPeer attributes 
HQ(config-group-policy)# vpn-tunnel-protocol ikev1 ikev2
HQ(config-group-policy)# tunnel-group 2.2.2.2 type ipsec-l2l   
HQ(config)# tunnel-group 2.2.2.2 general-attributes 
HQ(config-tunnel-general)# default-group-policy MyPeer
HQ(config-tunnel-general)# exi
HQ(config)# tunnel-group 2.2.2.2 ipsec-attributes 
HQ(config-tunnel-ipsec)#  ikev1 pre-shared-key MyKey
HQ(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key MyKey
INFO: You must configure ikev2 local-authentication pre-shared-key
      or certificate to complete authentication.
HQ(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key MyKey
HQ(config-tunnel-ipsec)# 

And boom! We have a working VPN:

Traffic works the other way as well.

OK, so now that we have a working VPN, let's see if we can NAT on the HQ side.

NAT and Site-to-Site VPNs

In order that we can hide our 10.1.1.0/24 network behind a new network (192.168.1.0/24), we need to add another network object to HQ, add a NAT rule, an access-list, and finally edit our crypto map to reference the access-list:

HQ(config)# object network YouSeeMeAs
HQ(config-network-object)# subnet 192.168.1.0 255.255.255.0
HQ(config-network-object)# exi
HQ(config)#nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork
HQ(config)#access-list Hidden_CryptoMap extended permit ip object YouSeeMeAs object TheirRemoteNetwork
HQ(config)#crypto map Outside_map 1 match address Hidden_CryptoMap

Now we need to change the other side to look towards the 192.168.1.0 traffic (instead of the 10.1.1.0/24 network):

Once we send some traffic between the two sites, our VPN should get established.

Quite nicely, it's preserving (or reserving) the final octet for us. However, we are now only good for being called into. Our pings from HQ to the Client fail:

OK, so how do we get both sides working, instead of this one-way traffic that we have? Well, let's try and work out what's happening.

HQ# sh nat detail 
Manual NAT Policies (Section 1)
1 (DMZ) to (Outside) source static MyInsideNetwork MyInsideNetwork   destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
    translate_hits = 32, untranslate_hits = 32
    Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24
2 (DMZ) to (Outside) source static MyInsideNetwork YouSeeMeAs   destination static TheirRemoteNetwork TheirRemoteNetwork
    translate_hits = 7, untranslate_hits = 7
    Source - Origin: 10.1.1.0/24, Translated: 192.168.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24

Manual NAT Policies (Section 3)
1 (DMZ) to (Outside) source dynamic any interface  
    translate_hits = 66, untranslate_hits = 59
    Source - Origin: 0.0.0.0/0, Translated: 1.1.1.2/24
HQ# 

This is our NAT table. And here is a very long packet-tracer output:

HQ# packet-tracer input DMZ icmp 10.1.1.10 1 7 10.200.1.10 detailed 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.1 using egress ifc  Outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.200.1.10/0 to 10.200.1.10/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcd5403e0, priority=13, domain=permit, deny=false
        hits=48, user_data=0x7fffd8e59d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.1.10/0 to 10.1.1.10/0
 Forward Flow based lookup yields rule:
 in  id=0x7fffce1821f0, priority=6, domain=nat, deny=false
        hits=29, user_data=0x7fffce14e060, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.200.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=Outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcd2d74f0, priority=0, domain=nat-per-session, deny=true
        hits=270, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcdabbd30, priority=0, domain=inspect-ip-options, deny=true
        hits=522, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 7
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcd9ecd50, priority=70, domain=qos-per-class, deny=false
        hits=191, user_data=0x7fffcd9eca20, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 8      
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcda4d390, priority=70, domain=inspect-icmp, deny=false
        hits=44, user_data=0x7fffce13f110, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:       
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcdabb5e0, priority=66, domain=inspect-icmp-error, deny=false
        hits=128, user_data=0x7fffcdabab40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fffce182df0, priority=6, domain=nat-reverse, deny=false
        hits=29, user_data=0x7fffce14e160, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.200.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=Outside

Phase: 11     
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 376, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

HQ# 

In Phase 1 we find out egress interface.  We only have one, so it's no surprise. In Phase 2 we hit our first NAT rule - out 10.1.1.0/24 to their 10.200.1.0/24.

In Phase 3 we check (and pass) out ACLs, and in Phase 4 we perform NAT, again we hit the first NAT rule, translating our 10.1.1.10/24 client address to itself.

In Phases 5, 6 and 7 we perform per-session NAT, check the IP-Options and any QoS - all of these pass.

Phases 8 and 9 are np-inspects, these pass.

Phase 10 is a RPF (Reverse Path Forwarding) check, and this passed, so then its on to the final flow-creation.

So all looks good there, we don't see any failures. However, we can see that the ACL we are hitting is the original one - before we implemented NAT within our VPN tunnel. Therefore the Client ASA will be seeing traffic come over the VPN with an incorrect endpoint address. So lets just pop over to ASDM (because it's much easier) and try moving the order of our NAT statements around.

Before:

After:

Now (thankfully), our DMZ-Client PC can access the Guest-PC:

As a final note, let's have a look at the packet tracer again and see the difference (I have truncated the output this time to make it a bit easier):

HQ# sh nat detail                                                   
Manual NAT Policies (Section 1)
1 (DMZ) to (Outside) source static MyInsideNetwork YouSeeMeAs   destination static TheirRemoteNetwork TheirRemoteNetwork
    translate_hits = 15, untranslate_hits = 15
    Source - Origin: 10.1.1.0/24, Translated: 192.168.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24
2 (DMZ) to (Outside) source static MyInsideNetwork MyInsideNetwork   destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24

Manual NAT Policies (Section 3)
1 (DMZ) to (Outside) source dynamic any interface  
    translate_hits = 66, untranslate_hits = 59
    Source - Origin: 0.0.0.0/0, Translated: 1.1.1.2/24
HQ# packet-tracer input DMZ icmp 10.1.1.10 1 7 10.200.1.10 detailed 

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.200.1.10/0 to 10.200.1.10/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork
Additional Information:
Static translate 10.1.1.10/0 to 192.168.1.10/0

Phase: 4
Type: NAT     
Subtype: per-session
Result: ALLOW

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW

Phase: 6
Type: QOS
Subtype: 
Result: ALLOW

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
              
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 392, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
              
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

HQ# 

So, here we can see that the order of NAT is extremely important.

Hope you have enjoyed the post!

10 days to go - alias: If I fail, I am blaming Bethesda

I am nearly into the single-digit countdown towards the five-digit number I am working hard to gain.

I say working hard, more like trying to work hard. Speed is improving, short-cuts are being learned, and the number of stupid errors I am making is reducing. So, in many ways, its looking promising.
However, yesterday I downloaded Fallout Shelter onto my iPhone, and ended up losing an entire evening.

It's good to have something to take away the monotony of study, to give yourself a break every now and then, but really, I shouldn't have picked such an immersive game.

I love the Fallout games, so was keen to have a play with this, but that was Sunday night gone. No study, no reading through notes, no practice, I just played. In a way it was nice though, as it took my mind off of the study and gave my brain a rest.

However, it's all about dedication and self-control. These next few days are critical, and I need to be dedicated if I am to pass the CCIE lab.

So, here is my goal(s) for the next few days - lab and work on my aliases.
Since spending more time labbing (predominantly Cisco 360), I have seen that I do use the same commands over and over again. It makes sense, therefore that I make these commands as easy as possible.

This is where the alias command comes in to play. Whilst I don't think that walking in to the lab with a long (mental)list of alias commands to write is sensible (after all who wants to spend more time writing a fantastic list of all the possible aliases that you could need, at the expense of the short time limits imposed by the exam), having one or two is sensible.

My go-to command is "sh ip int bri | e unas", Takes a second or two to type, but (as with anything) is prone to typing mistakes. Therefore adding these commands, can make life easier:

R7(config)#do sh ip int bri | e unas
Interface         IP-Address      OK? Method Status   Protocol
Serial1/0         10.8.1.1        YES NVRAM  up       down
Serial1/1         10.7.1.2        YES NVRAM  up       down
Serial1/2         10.9.1.1        YES NVRAM  up       down
Loopback0         172.20.1.1      YES NVRAM  up       up
Loopback1         172.20.2.1      YES NVRAM  up       up
Loopback2         172.20.3.1      YES NVRAM  up       up
Loopback3         172.20.4.1      YES NVRAM  up       up

R7(config)#alias exec shint show ip inter bri | e unas
R7(config)#alias configure shint do sh ip int bri | e unas
R7(config)#shint
Interface         IP-Address      OK? Method Status   Protocol
Serial1/0         10.8.1.1        YES NVRAM  up       down
Serial1/1         10.7.1.2        YES NVRAM  up       down
Serial1/2         10.9.1.1        YES NVRAM  up       down
Loopback0         172.20.1.1      YES NVRAM  up       up
Loopback1         172.20.2.1      YES NVRAM  up       up
Loopback2         172.20.3.1      YES NVRAM  up       up
Loopback3         172.20.4.1      YES NVRAM  up       up

R7(config)#exit
R7#shint
Interface         IP-Address      OK? Method Status   Protocol
Serial1/0         10.8.1.1        YES NVRAM  up       down
Serial1/1         10.7.1.2        YES NVRAM  up       down
Serial1/2         10.9.1.1        YES NVRAM  up       down
Loopback0         172.20.1.1      YES NVRAM  up       up
Loopback1         172.20.2.1      YES NVRAM  up       up
Loopback2         172.20.3.1      YES NVRAM  up       up
Loopback3         172.20.4.1      YES NVRAM  up       up

R7#

I have configured the alias "shint" under both exec mode, and under configuration mode. This command will either do "sh ip int bri | e unas" in exec mode, or if in configure mode, it'll do "do sh ip int bri | e unas". So now, I have one command which will get me the same output, no matter where I am in the cli - this is because you can't do "do <alias>" and get the same output:

R7(config)#alias configure shlo sh run int lo0
R7(config)#do shlo
                ^
% Invalid input detected at '^' marker.

R7(config)#alias exec shlo sh run int lo0
R7(config)#exit
R7#shlo
Building configuration...

Current configuration : 64 bytes
!
interface Loopback0
 ip address 172.20.1.1 255.255.255.0
end

R7#

Now I just need to pay attention to the commands I frequently use, and make suitable aliases for these. It should save a few (crucial) seconds here and there, and (more importantly) reduce chances of error. Now that get's a big thumbs up!

Anyway, a short post today, I have vault dewellers that need water studying to do.

P.S. Hope you like the CSS change on the console output, green text on a black background is easier to read, and looks better I think.

Windows 7 host on UNetLab

Back again, as promised (albeit a week later than planned).

Today I'll be setting up a Windows 7 host on UNetLab. I did try Windows 10, but it failed to launch after the conversion to qemu.

If you want to play along at home, you'll need a Windows 7 VM running under VirtualBox, UNL (UNetLab) and a bit of time.

The first step is to convert the VirtualBox image's VDI file into RAW:

Stuarts-iMac:VirtualBox VMs stu$ cd Windows\ 7-Pro/
Stuarts-iMac:Windows 7-Pro stu$ ls
Logs   Windows 7-Pro.vbox Windows 7-Pro.vbox-prev Windows 7-Pro.vdi
Stuarts-iMac:Windows 7-Pro stu$ vboxmanage clonehd Windows\ 7-Pro.vdi Win7.img --format RAW
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Clone hard disk created in format 'RAW'. UUID: a1c6a37c-8988-49a0-b20e-aca2fb22f181
Stuarts-iMac:Windows 7-Pro stu$

Then using Filezilla, or similar, copy it to the /tmp folder on the UNL VM. If you start to run out of room, as I just have, then read Andrea's guide on adding more space to UNetLab.

root@unl01:~# cd /tmp/
root@unl01:/tmp# ls
vmware-root  Win7.img
root@unl01:/tmp# mkdir /opt/unetlab/addons/qemu/win-7-Pro
root@unl01:/tmp# /opt/qemu/bin/qemu-img convert -O qcow2 -f raw Win7.img hda.qcow2
root@unl01:/tmp# mv hda.qcow2 /opt/unetlab/addons/qemu/win-7-Pro/
root@unl01:/tmp# ls /opt/unetlab/addons/qemu/win-7-Pro/
hda.qcow2
root@unl01:/tmp# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
root@unl01:/tmp#

Now we can make a nice looking topology:

I am using Chicken of the VNC, it seems to work much better than the Mac in-built one. Means connecting is a little bit more manual, but it works well.
So now let's do some basic configuration. I am not testing end-to-end connectivity at this stage, thats for a different post, we are just testing very basic host-to-switch connectivity. I have given the vlan 11 interface on the switch the IP address of 10.1.11.1, and set an IP address on the Windows host of 10.1.11.10, both are using a /24 subnet. The Windows host also has the switch IP address set as it's default gateway:

Awesome, we can ping between them.

See how easy it is to get hosts running in UNetLab?

Why you should invest in Cisco 360

As part of the Narbik course I sat last year, I got access to Cisco 360, and because of that I got a nice set of config labs to play with.

I hadn't done one in a while, so thought would give it a go on Saturday. I have to list a few erratas first, and this was that during the lab I had to go and pick my boys up, and put them to bed, which too a large chunk away from the allotted time, not saying that this is the only reason for my shocking performance, but it certainly did not help with my level of concentration, and I know that I rushed it, and did not treat it as an actual lab.

Hopefully during the actual exam I won't have two toddlers asking for different TV programs to be put on, cats wanting to be fed, or having to drive around to pick up said toddlers, and put them to bed. I am sure the actual lab exam will be a little easier, in that respect.

Anyway, let's start by listing the problems that were my fault.

1. I didn't look at all of the topology diagrams

There are a number of topology diagrams, and I concentrated on the main one (the clickable map on the main screen). I didn't look at the MPLS diagram for a start.

Stupid, stupid me, and because of this, I failed on two major tasks.

Because of this one question regarding VTP didn't make any sense. We have a switch that is not allowed to have any VLANs created on it. Not being able to see any way for that switch to get the VLANs, I went ahead and created them on there.

If I had looked at all the diagrams, then I would have seen that there was a backbone switch, that would have supplied all of the VLANs required.

Similarly, we have a couple of routers that are VRF enabled. Now, I did this part, created the VRFs, but in doing so, fucked up all of the IGP stuff I had done previously - so again, failed massively, which brings me on to point 2.

2. I didn't read through the whole list of of tasks.

Again, stupid, stupid me.

Because I didn't read all of the requirements at the beginning I screwed myself up badly. I did not treat it as an actual exam. I rushed in head-first, without thinking about consequences and how a network is built.

The example here is that we have a couple of VRFs, SITE1 and SITE2. When we are dealing with VRFs we need to specify the VRF in the IGP process. I didn't and so when the lab was graded, what had originally worked, was broken when I implemented the VRFs.

3. I didn't treat if as an actual lab

I rushed this. I wanted to practice something different, so tried to push a lab in between normal weekend activity. Clearly this didn't work. I should have found proper time, a closed environment uninterrupted by external influences, and treated it in the same way that I intend to take the lab.

Lab day is getting close, its only 17 days now, and I still have three or four 360 labs that I can do. But these need to be treated properly and respected, as it were, for the lab that they are. Although I am pissed at myself, I still think that this was a good failure, and I'll explain why this is, and why they are a good investment.

Why is 360 a worthwhile investment?

So why would I recommend 360?

Because it is written in the manner that the exam is. This is key. Understanding how Cisco terms things, how they write their questions, and how they lay things out, will greatly benefit you when it comes to the actual lab. You also get access to the answer key, which explains what they expected and why. You can also see what commands they run as part of the automated checking, which is very worthwhile reading, as you might pick up a command or two to add to your arsenal.

Although I fucked up royally, due to the points above, fucking up can be a good thing (sometimes). I keep espousing how I am trying to hone my process, for troubleshooting and configuration, well this is (now) a highlighted part of that process.

Because it is close to lab time, this will be fresh in my mind, and I am less likely to make these mistakes again.

Granted there are a number of vendors that offer "labs", but 360 is worthwhile due to being able to see how Cisco actually write these labs. It offers you a chance to try and get inside their heads and see what they are expecting.

What would be nice would be if Cisco could offer these at a lower cost. You can get a four-pack of either configuration, or troubleshooting labs for $499 each, which isn't cheap in the slightest, and buying both is nearly the same price as the actual lab exam. If they offered them at say $50 each, I think they would have a lot more custom. But then the CCIE is never a cheap thing to do.

If you do want to invest in these then you can do so from the learningnetworkstore site.

Hopefully I can find time to sit another one of these, learn from my mistakes on Saturday and do better!

Onwards and upwards!

UCSPE on UNetLab

After the fun try yesterday of getting an Ubuntu guest running under UNetLab, I started to think what else could I try.

Given that it would appear that if it comes in an OVA file, UNetLab has a pretty good chance of running it, then we should (in theory) be able to run a very wide range of VMs.

So my attention turned to UCS.

Now, its pretty obvious that the UCS is a pretty big bit of kit. But there is a UCS emulator. Not sure what kind of connectivity it offers, but it might be fun to give it a go.

I started by downloading the UCS Platofrm Emulator from Cisco, you'll need a Cisco login to do this, and I grabbed the latest version (3.0.2c), which comes in a handy ova file.

I created a new directory under /opt/unetlab/qemu/ called win-ucspe-3.0.2, and while I was at it, renamed the win-7 folder from yesterday, to win-ubuntu - makes it easier to figure out what's what.

It takes a while to download the ova from Cisco, seems a lot of people find the 800+Mb download very slow.

Once it is downloaded copy it over (using Filezilla or similar) to /tmp, extract it, use qemu-img convert, and copy it to the new folder. Then run fixpermissions again. The full steps are below:

root@unl01:~# cd /opt/unetlab/addons/qemu/
root@unl01:/opt/unetlab/addons/qemu# mv win-7 win-ubuntu
root@unl01:/opt/unetlab/addons/qemu# mkdir win-ucspe-3.0.2
root@unl01:/opt/unetlab/addons/qemu# cd /root/
root@unl01:~# cd ..
root@unl01:/# cd tmp/
root@unl01:/tmp# ls
vmware-root
root@unl01:/tmp# ls
UCSPE_3.0.2cPE1.ova  vmware-root
root@unl01:/tmp# tar -xvf UCSPE_3.0.2cPE1.ova
UCSPE_3.0.2cPE1.ovf
UCSPE_3.0.2cPE1.mf
UCSPE_3.0.2cPE1-disk1.vmdk
root@unl01:/tmp# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 UCSPE_3.0.2cPE1-disk1.vmdk hda.qcow2
root@unl01:/tmp# ls
hda.qcow2  UCSPE_3.0.2cPE1-disk1.vmdk  UCSPE_3.0.2cPE1.mf  UCSPE_3.0.2cPE1.ova  UCSPE_3.0.2cPE1.ovf  vmware-root
root@unl01:/tmp# mv hda.qcow2  /opt/unetlab/addons/qemu/win-ucspe-3.0.2
root@unl01:/tmp# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
root@unl01:/tmp#

Now, we can add it as a node, and fire it up:

We can VNC to it as well!

We cant do much at the moment, so we need to edit the lab, to add a host with which we can manage the UCS, and a router, to provide DHCP services to the UCS emulator.

So let's do that!

This looks a bit better!

Let's start by setting up DHCP on the router:

Router(config-if)#do sh run | s dhcp
ip dhcp excluded-address 10.120.1.254
ip dhcp pool UCS
 network 10.120.1.0 255.255.255.0
 default-router 10.120.1.254
Router(config-if)#do sh run int e0/1
Building configuration...

Current configuration : 68 bytes
!
interface Ethernet0/1
 ip address 10.120.1.254 255.255.255.0
end

Router(config-if)#do sh ip dhcp bind
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
10.120.1.1          5000.0001.0000          Jun 19 2015 12:13 PM    Automatic
Router(config-if)#

Great! Now if we restart networking on the UCS, we should see an IP address:

Awesome!

Now let's set up our host.

I have assigned the IP address of 10.120.2.254/24 to the e0/0 interface of router, and the host gets 10.120.2.1/24. The host can reach the router, and the UCS:

So far so good. Can we get to the UCS? Well, no. But I think its a configuration issue, rather than a problem with UNetLab.

So I added a few more interfaces (I think 3 will suffice) to the UCS VM, and had to shut down the node and start it again for them all to be picked up. It did, at least get rid of some of the warnings on the UCSPE.

Eventually I got a "Network configured" message, and things looked much better:

So, long story short - you need three interfaces on the UCS VM.

After a few minutes, once UCS had done its thing, we can access the GUI from the Ubuntu host:

Freaking awesome! It certainly might help someone studying their CCIE DC!

I love the new HTML interface as well!

So there you go, UNetLab will happily run Ubuntu and UCS (PE at least).

Catch you tomorrow, when I'll try and get a working Windows VM on the system as well!

Can UNetLab run an Ubuntu node?

I decided to have a little fun today, to see if UNetLab could run an Ubuntu node. UNetLab can run a Windows guest, courtesy of Qemu, so, in theory, another Qemu image should be ok, right? Linux hosts are not on Andrea's (impressive) list of supported systems, but it's worth a shot. So let's see!

I am starting with an Ubuntu VM in VirtualBox, a very minimal default install, just adding VLC and downloading a video from archive.org. The idea being that if two nodes can run, maybe I can multicast from one to the other.

Building the base image is no big task if you have ever created a VM in VirtualBox, so we'll skip over that bit. I ran the updates, and shut down the VM.

Step 1 - Converting VirtualBox image to RAW

Because we cannot use the default VM filetype, we have to first convert the VDI file to a RAW image. To do that we use the VBoxManage command. The command is "vboxmanage clonehd old.vdi new.img --format RAW", where old.vdi is he existing VirtualBox disk, and new.img is our RAW file:

C:\Users\sfordham\VirtualBox VMs\Ubuntu>"c:\Program Files\Oracle\VirtualBox\vboxmanage" clonehd NewVirtualDisk1.vdi ubuntu.img --format RAW

You will see a percentage line below (if you have entered the command correctly), and once it hits 100%, which can take a while depending on the size of the VDI, and your processor, we can then move on to creating a image suitable for UNetLab.

Step 2 - Converting RAW to qcow

Once we have a converted (RAW) file, we can convert it to qcow.

To do this we need to install Qemu. I am using a Windows build from Stefan Weil, I got this from Qemu.org. Qemu comes with a command line program called qemu-img, and we can use this to convert to qcow (qcow2 to be exact). The command is "qemu-img convert -O qcow2 -f raw new.img newfile.qcow2":

C:\Users\sfordham\VirtualBox VMs\Ubuntu>"c:\Program Files\qemu\qemu-img.exe" convert -O qcow2 -f raw ubuntu.img hda.qcow2

We don't get a progress percentage with this command, so just sit back and wait a while. This is already installed in UNetLab - so you can also copy the img file created in step 1, and run the command on the UNetlab box itself.

Once we have our new file we can copy it over (using Filezilla). I am copying it to a new directory, called "win-7", under /opt/unetlab/addons/qemu:

root@unl01:/opt/unetlab/addons/qemu/win-7# ls
hda.qcow2
root@unl01:/opt/unetlab/addons/qemu/win-7#

Once we have run the fixpermissions script (/opt/unetlab/wrappers/unl_wrapper -a fixpermissions) - it shows up:

The node, however, would not start. I think this is due to VirtualBox though. So I am switching to VMWare player. Hopefully I'll have better luck. If not it'll be VMWare Fusion on my Mac.

Note, much time later, it turns out that VMWare player does not like OVF version 0.9, or 2.0 - it does seem happier with version 1.0 though.

So, using the same UNetLab vm, now (finally, grrr) exported into VMWare player, let's see if it'll run...

OK, third time is a charm!

I can now run an Ubuntu Qemu guest!

Not much of a network at the moment. So let'd make something a little better:

They all start:

But at this stage they do not communicate. I assigned both hosts to vlan 100, gave Win an IP of 192.168.1.101, Win2 an IP of 192.168.1.102. Created VLAN 100 on the switch, along with a VIF (192.168.1.1 wich was set as the hosts default gateway) - but nothing would communicate.

So I created this instead:

Note that R2 wont start at the moment. But really, this is not massively important right now. I just want to get the bare-bones working.

And, it does - though I have had to play around with the IP addressing (for obvious reasons):

We can ping from Win-2 (Ubuntu) to an IOL router (R4), we can also telnet to the router. So, we are off to a good start. Not sure why the other router would not start, but I do know that the laptop I am running this on is pretty underpowered. Hopefully I'll have better luck on my Mac on Friday, when I create a Windows host, and if all goes well, will be able to connect it to the Ubuntu box I just created.

See you on Friday.

I have got to the Donnie Darko stage

Depending on how you look at it, this time next month I will have sat the CCIE lab exam. I say depending on how you look at, because today is the 11th and its a thursday, but the exam is on Friday the tenth - but its also 28 days away, which is four weeks, which is a month.

So, now I am at the Donnie Darko stage, 28 days, 6 hours and the clock is ticking...

It's getting easier, things are definitely falling into place. Still trying to find the time to lab as much as possible, not doing too much reading, apart from where I get stuck on things, but definitely labbing as much as possible.

Speed wise I am getting much better, the brain is getting up to the required speed quicker, and I am figuring out how to make the most of notepad - this is a pretty essential part. Cutting, editing, pasting from router to router is definitely much quicker than doing it all by hand - this is a simple concept, and I am sure you don't need reminding - however - and this is where the whole "refer back to the topology" mantra comes in handy - it's pretty annoying when you balls it up and BGP starts screaming that the 8 or so neighbor statements you have just pasted in are all for the wrong AS.
So will the world end for me if I fail? No, not really. I'll be a bit miffed, but I can re-sit it. If I pass, then great! It'll be beers all round at the weekend.

So which way do I think it'll go? Not sure really. I still have 27 days to get the process honed, and it is getting revised with everything that I do, adding to the speed and accuracy of how I tackle a TS or config. It is also aiding on the time management side of things.

I think the time management aspect will be the hardest part, I am trying to keep to 2 hours for a TS, 5 hours for a config when practicing, how this will turn out in the exam is anyone's guess. It is so easy to get stuck into a problem that all time just goes out of the window, and before you know it 40 minutes have passed and you have still got 9 questions to do (which would equate to about just under 9 minutes for each of the remaining questions).

I have the four days before the exam booked off, so it will be (relatively) interruption free, allowing for some good practice time before I sit the lab. Before that I have three weeks to do what I can, and this is still whilst working and being a parent and a father also take priority.

Regardless of the pass-or-fail aspect of the lab this is actually beneficial, and its really made me learn the technologies. It's already (I think) made me a better engineer, and getting the numberswill be a nice bonus.

To end on a Donnie Darko note, as Frank the bunny rabbit says "I can do anything I want. And so can you".

IOU file for MPLS for Cisco Networks now available

I had been meaning to finish this off for a while, but what with the studying and all, it kind of got put to the side. Anyway, I got sent an email, from a very friendly guy, asking if I could send the initial configs so that he could create the IOU files himself.

Instead I created the IOU file, including a clickable image map (again this is a real push towards going solely IOU for the next volumes). It looks much cleaner than the GNS3 version, and I can reuse the image that's in the book, so it keeps a much more consistent feel.

Obviously the interface names will be different (no GigabitEthernet in IOU), but you are a bunch of clever people, so I am sure you'll be fine!

So far the majority of people responding to the poll on the right hand side are in favour of IOU, but there is still quite a few days left, so who knows which way it will swing.
The IOU-web file for MPLS for Cisco Networks is available to download from the books section above.

35 days and counting: Why one bad day shouldn't dishearten you

It's a mere thirty-five days till the lab exam, and I had a complete shocker of a study time today.

So far, things have been steadily improving. My speed is getting better, and the process is getting honed. This does not help, though, for those days when things just don't click.

I want to put it down to having too many interruptions during the day.

First came a wine delivery, from Naked Wines - after studying for hours who doesn't like a glass of wine!

Then there was another delivery, this time it was Brad Klausen's Flight to Mars poster:

Beautiful, isn't it? Going to get it framed.

Next was some more post, including some Croc shoes (with lights for one of the boys).

Next was the cleaner.

So, lots of interruptions. But really, this should not be a reason for:

1: Not reading requirements properly
2: Not reading IP addresses, and typing in the wrong IP addresses
3: Assuming that basic things have been done.

1 and 2 are pretty self-explanatory. but let's take an example for #3 (which also links to #1).

We are faced with a number of switches. Routers connect to these switches, in different VLANs. The requirements are to put all the interfaces in the correct VLANs, make sure that the trunks use dot1q encapsulation. Not too difficult, right?

Depending on what you are studying, you'll either have a diagram with the interfaces labelled, or, at worst, you'll need to get onto each of the routers and to a "sh cdp neigh", a "sh ip int bri | e unas", and from there work out the correct vlans to put the switch interfaces into. Either way, it shouldn't be too traumatic.
So, i had a long text document with the interface to vlan assignments, worked this down into a number of easy-to-paste lines, and pasted them on. I had partial router-to-router connectivity, but others were dead in the water. I checked and double checked. The interfaces were in the correct VLANs. The VLANs were in the database. The interfaces were up/up on both the routers and the switches, and the IP addresses were checked and double checked.

Eventually, after running "sh int trunk", I saw that the trunk interfaces were set to use ISL encapsulation, not dot1q.

This is something that I should have picked up on earlier (ideally). I missed this because:

A: I did not fully read the requirements (overlaps with B)
B: I made an assumption
C: My process did not include this (again this overlaps with B).

I did read the requirements, but my assumption, because dot1q is the standard, overruled sense. Because dot1q is the standard my assumption did not factor an alternative into my process

So, although it took longer, eventually I did finish all of the tasks. If it were the real exam I would have failed.

There is, however, and upside.

I still have time, therefore I can learn from this mistake. I have learned (I hope), not to make assumptions, and this issue (ISL vs dot1q) is not part of my process, the both troubleshooting and configuration.

So, long story short, the take home from this is that the process has changed, and a lesson has been learnt.

Now I am sitting here, drinking a nice glass of wine.

Onwards and upwards. Let's see what the next thirty (or so) days bring!

Cheers!