I was elated as I left the exam center yesterday having just passed the ICND2 exam. I did not exactly light up the scoreboard as I got an 860. However, that was a 42 point improvement over the last time I took the exam and was enough to pass. I am now officially a CCNA!

Happy Days!


ICND2 – Take 2 – Exam Later Today

Last Wednesday I scheduled my INCD2 exam (again). The original goal date was 08-17-2012 but I just didn’t feel I would be ready in 2 days so I scheduled it for today. I was up late last night playing the Cisco Aspire game and once again I had trouble sleeping. I do not know what it is about the ICND2 exam that makes it so intimidating but it really works the nerves over. So I woke up this morning without getting a good night of sleep. I normally relax on exam day and do not cover any material. Today I am studying. So I start into my 2nd attempt by making two mistakes again: not getting enough rest and cramming. Part of me feels that I am going to totally redeem myself since I only missed passing my 7 points last time. Another part of me feels like I am going to do worse than last time. On my last attempt there were 4 or 5 questions (2 on one topic) that would have made the difference. I am also feeling that maybe I spent too much time focusing on those areas and not enough on everything else. What happens if I do not even get questions on those topics again? Honestly, I did not get as much studying done in the last two weeks as I wanted. The exam is in about 5 hours so whether I like it or not, I’m up to bat again. I’m really not sure if I can handle another crushing defeat on this exam. One thing is certain though: I will keep taking this exam until I pass. I am committed to that! Hopefully, my stress and worries about the ICND2 exam and CCNA will be in the rearview mirror very soon. Now, it is time to go review more.

Cisco Aspire CCNA Edition

I started playing Cisco Aspire CCNA Edition last Thursday and found it not only to be a lot of fun but quite useful for studying as well. You can read all about the game on the Cisco web site so I’ll forgo the general description of the game and only talk about the specifics.

The Good:

Pertinent Material
Similar to Labbing

The Bad:

Bugs – the kind that require you to load a saved game and re-do an entire contract in order to progress
Format/Cost – The game requires you to purchase tokens to unlock contracts in the game. I purchased 1000 tokens for $50 which allowed me to unlock everything. However, the tokens work only on that single install. In my case it on a Windows XP virtual machine using Parallels. If I want to install and play the game on my laptop I would have to buy a whole new batch of tokens.

Overall, I had fun playing and am on the next to last contract of the game. Unfortunately, I have no more time to play before the exam. I definitely recommend the game if you have the means.

My number one tip though: Save early and save often! 🙂

ICND2 – Chapter 19 – IPv6


1. Address Assignment Features – Allows easier renumbering, dynamic allocation, and recovery of addresses
2. Aggregation – Blocks are easier to aggregate vs. IPv4
3. No Need for NAT/PAT
4. IPSec required – more secure
5. Header improvements – no need to recalculate Checksums – Flow label to easily identify packets belonging to same connection
6. Transition Tools –

Public IPv6 addresses are grouped by major geographical region.

Inside each region, the address space is further divided to ISPs in that region.

Each ISP in a region further divides their range to customers.

ICANN assigns one or more IPv6 address ranges to each RIR (Regional Internet Registry)

IPv6 uses 32 HEXADECIMAL numbers organized into 8 quartets that are separated by a : (colon).

Each hex digit represents 4 digits.

Leading 0s can be eliminated in a quartet.

One and only 1 string of consecutive 0s (even crossing quartets) can be represented with a :: (double colon).

IPv6 addresses use / (slash) notation for subnet masks.

Address Types:

Global Unicast – Same as IPv4 public addresses
Prefix 2000::/3 (Can be easily identified as it starts with a 2 or 3)

Unique Local – Private IP addresses
Prefix FD00::/8 (Can easily be identified as it starts with FD)

Link Local – For packets sent on a local subnet
Prefix: FE80::/10 (Easily identified as starting with FE8, FE9, FEA, and FEB)

Multicast – Multicasts that stay on local subnet
Prefix: FE2::/16 (Easily identified as it starts with FF02)

Special Addresses:

FF02::1 – All nodes on the link
FF02::2 – All routers on the link
FF02::12 – Used by hosts to send to a DHCPv6 inquiry

DHCPv6 servers can either be stateful or stateless.

The use of the zero-subnet or broadcast subnet is a non-issue with IPv6.

ICND2 – Chapter 18 – NAT (Network Address Translation)

NAT is defined by RFC 3022. It allows a host that does not have a valid, public routable IP address to communicate with other hosts on the internet.

Cisco IOS supports several variations of NAT.

Static NAT configures a 1 to 1 mapping between private and public addresses.

Dynamic NAT creates a 1 to 1 mapping between private and public addresses as well but does it dynamically.

You can manually clear Dynamic NAT translations using:

Router#clear ip nat translations *

Dynamic NAT sets up a pool of possible INSIDE GLOBAL addresses and uses an ACL to determine source addresses that should use NAT.

NAT Overload uses one single address and NATs the hosts uses port numbers. (Also known as PAT)

Cisco uses the term INSIDE refers to the network using private addresses.

The term OUTSIDE refers to the Internet side of the network (using globally routable public IP addresses)

More on Inside/Outside and Local/Global:

INSIDE – Inside the LAN
OUTSIDE – Outside the LAN
LOCAL – private addresses
GLOBAL – public addresses

INSIDE LOCAL – inside private
INSIDE GLOBAL – inside public
OUTSIDE LOCAL – outside private (in many cases this is the same as the OUTSIDE GLOBAL)
OUTSIDE GLOBAL – outside public

Normally NAT translates an inside SOURCE address to an outside address but you can also translate both the SOURCE and DESTINATION addresses. This is useful when two networks are IPed with the same private address blocks (overlap) and need to communicate with each other. This is accomplished via static mapping.

Static NAT Configuration:

1. Configure interfaces to be inside or outside

Router(config-if)#ip nat inside


Router(config-if)#ip nat outside

2. Configure static mappings

Router(config)#ip nat inside source static

Dynamic NAT Configuration:

1. Configure interfaces to be inside or outside (as above)

2. Create an ACL that matches the source addresses of the hosts that will use NAT

Router(config)#access-list 10

3, Create a NAT pool (public addresses)

Router(config)#ip nat pool MyPool netmask

4. Enable NAT

Router(config)#ip nat inside source list 10 pool MyPool

Configuring PAT (NAT Overload):

NAT Overload can use a single public address or a pool of public addresses. When using a pool the setup is the same as the Dynamic NAT setup above except you add an overload statement to the command in step 4.

Router(config)#ip nat inside source list 10 pool MyPool overload

PAT with a single address:

1. Configure interfaces to be inside or outside

2. Create an ACL that matches the source addresses of the hosts that will use NAT

3. Enable NAT and specify the interface to use as the public address

Router(config)#ip nat inside source list 10 interface s0/0 overload

ICND2 – Chapter 17 – VPN

VPNs (Virtual Private Network) try to provide the same security as leased lines. This includes:

Privacy – prevents anyone on the internet from being able to intercept the packet data
Authentication – Verifies the sender
Integrity – Verifies the data has not changed
Anti-Replay – prevent man-in-the-middle from resending packets to pose as legitimate source

Types of VPNs:

Intranet – Site to Site within an organization
Extranet – Site to Site to another organization
Access – Allows access to corporate network from legitimate users across the internet

IPSec uses dynamic key exchange using IKE (Internet Key Exchange – RFC 4306). IKE uses the Diffie-Hellman process.

IPSec can use AH (Authentication Header) or ESP (Encapsulating Security Payload). ESP Encrpyts. AH does not.

ICND2 – Chapter 16 – Frame Relay Configuration

Cisco IOS uses Inverse ARP by default which discovers the mapping between DLCIs and their next-hop address.

Configuring Frame Relay

1. Configure frame-relay encapsulation on the physical interface

Router(config-if)#encapsulation frame-relay (use frame-relay encapsulation instead of default HDLC)

2. Configure an IP Address on the interface or sub-interface(s)

3. Optional: Manually configure the LMI type on the physical interface

Router(config-if)#frame-relay lmi-type [ansi | cisco | q933a]

4. Optional: Change from Cisco frame-relay encapsulation to IETF on all or specific VCs:

Router(config-if)encapsulation frame-relay ietf (for all VCs on physical interface)


Router(config-sub-if)frame-relay interface-dlci 99 ietf (for point-to-point sub-interfaces)


Router(config-sub-if)frame-relay map ip 99 broadcast ietf (for multi-point interfaces or when not using Inverse ARP)

5. Optional: Define Static Mapping of DLCIs (no Inverse ARP)

Router(config-sub-if)frame-relay map ip broadcast

When using static mapping the broadcast keyword is required to support routing

6. Sub-interfaces Only: Associate DLCIs to sub-interface using:

Router(config-sub-if)frame-relay interface-dlci 99


Router(config-sub-if)frame-relay map ip broadcast

Continue reading

ICND2 Reflection and Plans

It was a bit depressing to fail the ICND2 test especially since I was so close to the passing score. I guess the good news though is that I am not far away in my knowledge/skills. I’ve been thinking about it quite a bit and realize that I left some easy ones on the table that would have made the difference. This is particularly true in the IPv6 scope. A few of the questions were somewhat confusing. I read them and immediately formulated and answer/solution in my head. Then I looked at the list of answers and the one that came to my mind at first was not in the list of answers. This left me scratching my head and wondering what they were trying to get at. I feel as if I missed a few of these and plan to review. Specifically, I am going to re-read the OSPF, IPv6, NAT, and advanced ACL chapters again. Also, I never got the chance to read any of the Todd Lammle book that I bought so I am going to try to get through most or all of the ICND2 pertinent chapters in his book as well. I am definitely, re-taking the exam soon. The tentative date is 8/14/2012. (week from this Friday) Over the next few days, I also want to get my chapter reviews up for the last 4 chapters that I did not get done before the exam last time. I’ll end this post with a few facts that I should have memorized that would have helped made a difference on the exam.


Link Local addresses begin with FE80::/10

FF02::2 multicasts to ALL ROUTERS on a subnet, FF02::1 multicasts to ALL NODES on a subnet.

I need to memorize all the reserved addresses and address types. I will cover that in my review.


The default VTP mode is Server mode.

Needed 825 to Pass – Got 818 – Failed

Unfortunately, I was met with failure today. I came very close to a passing score on the ICND2 exam but fell short. The testing center had some technical issues and was not able to give me an exam report at the end of the exam so I have no clue how I did in regards to specific areas. Still working to try and get that.

Exhausted – Done for the Night

It has been about 12 or 13 hours since I started my last day review and 2 things have become apparent:

1. I’m totally exhausted / burnt at this point. The old eyeballs are glazing over.
2. I’m not going to finish transcribing the last 4 chapters tonight.

The exam is tomorrow afternoon which makes it about 14 hours from now.

I need to good night’s rest. Luckily, I studied the last 4 chapters on 7/31 and 8/1 (within the last 2 days) so its recent and still fairly fresh in my head. Do I feel prepared for the exam? Sort of. My confidence level is reasonably high but I keep thinking about the scope of the material and wonder do I know enough of the details on everything. As they say, CCNA is a mile wide and 1 foot deep. (or something like that) It really does cover a lot of material. Tomorrow will be the real judge of my preparation. I am committed to passing ICND2 so even if I do not have success tomorrow, I will go back to the drawing board, formulate another study plan, and take the exam again in a few weeks. However, in the back of my mind I just keep thinking I am going to pass tomorrow. 🙂

I’ll post the results (good or bad) tomorrow when I get back from the testing center.