My CCNA Data Center certification experience

Today, I passed the Cisco 640-916 DCICT exam, achieving the CCNA Datacenter certification. This was my third attempt. I failed my first attempt by 4%. I failed my second attempt by 1% and wrote about my less-than-stellar customer service experience with Pearson Vue in this post.

I primarily studied with Anthony Sequiera‘s CBTNuggets series – if you have some hands-on experience with basic Nexus configuration tasks, his videos are enough to pass the exam with one caveat. The exam developers at Cisco have taken a step backward in exam quality compared to the CCNA Route & Switch. Most Cisco exams don’t expect you to memorize pages of technical specifications, but that’s not the case with this exam. It’s almost as if they hired a few Microsoft exam developers and had them write Microsoft-style “Under which menu option would you find X feature” questions. Then they mixed those nonsense questions in with the typically straightforward Cisco questions. The result is an annoyingly blended exam that bounces between fair questioning on concepts and worthless memorization. Unfortunately, the straightforward questions aren’t enough to balance out the straight memorization.

While using somebody else’s braindump is against the rules, using your own exam experience is not. If you do happen to fail, my suggestion is to write down all of the areas you were confused by immediately – don’t even wait for the drive home, do it in the parking lot of the testing center. You can then take this extremely valuable information home with you and focus your study. Doing this made me understand exactly what pieces I had to memorize and resulted in a pass.

My Cisco 640-911 (DCICN) exam experience

I passed the Cisco 640-911 exam today on my second attempt. I failed the first attempt with an 809/1000 – passing was 818. I’ve failed other exams by razor-thin margins before, like the VCAP4-DCA and VCP5-DT exams by 2%, but this is the first time I’ve ever failed by less than 1%.

The 911 exam is the first of two exams required for the CCNA Data Center certification and is roughly analagous to the ICND1 exam for the CCNA exam. However, unlike the regular CCNA, you don’t have multiple options for taking the exam. You can take the ICND1 and ICND2, or the CCNA exam for your CCNA. There is no option for the CCNA Data Center, you must sit both the 911 and 916 exams.

I was a bit disappointed by some of the questions. Nexus is supposed to be a next-generation platform, yet I was tested on legacy tech that isn’t at all relevant to the Nexus or even any modern data center. I added some fairly blunt comments during the exam and I hope the questions that I flagged are considered for removal.

I used Todd Lammle’s CCNA Data Center study guide for this exam. If you take the time to work through the entire book, work all of the examples and practices questions, you will pass the exam. I was a bit overconfident the first time, assuming I could easily pass this exam by simply skimming the material – it brought me close, but not close enough. The second time I made sure to slowly go through the entire book, and it paid off with a pass, and I even got a 100% on some of the exam sections!

 

 

VMware load balancing with Cisco C-series and 1225 VIC card

I recently did a UCS C-series rackmount deployment. The servers came with a 10gbps 1225 VIC card and the core routers were a pair of 4500s in VSS mode.

The 1225 VIC card lets you carve virtual NICs from your physical NICs. You can put COS settings directly on the virtual NICS, enabling you to prioritize traffic directly on the physical NIC. For this deployment, I created 3 virtual NIC for each pNIC – Management, vMotion, and VM traffic. By setting COS to 6 for management, 5 for VMs, and 4 for vMotion on the vNICs, I ensure that management traffic is never interrupted, and I also guarantee that VM traffic will be prioritized over vMotion. This still allows me to take full advantage of 10gbps of bandwidth when the VMs are under light load.

Cisco 1225 VIC vNIC

Cisco support – a colossal failure

I’m so fed up with Cisco that I’m ready to switch platforms. Maybe I’ll start building networks by following the Microsoft certification route “Your core network router is a Windows 2008 Server running Microsoft Routing and Remote Access…”

The Cisco debacle began as I attempted to expand a pair of Cisco MDS 9124 fibre switches from 8 to 16 ports. We ordered quantity 2 of SKU M9124PL8-4G-AP=. This gives you an expansion license for the additional 8 ports as well as 8 SFP transceivers. The order arrived on a Monday. I unpacked everything and installed the SFPs. Now I moved on to the licensing.

I plugged the PAK from the first box into the Cisco website and it came back as a bad key. The second one was also bad. I then contacted Cisco licensing to assist as neither PAK worked. Cisco soon issued me license keys, but they failed to install. The switches reported “Installing license failed, not compatible with the platform MDS9124.” I reported this back to Cisco Licensing and got “Please be informed that those are the licenses found to be associated for those PAK Numbers you provided as shown on the claim certificate you provided. Please contact your Account Team or local Cisco Sales Engineer for assistance determining what license are compatible with your switches. My apologies for we at Licensing Team only issue, resend and re-host licenses based on entitlements being provided to us and your understanding on this is appreciated.

I then engaged Cisco TAC, the TAC engineer said that the PAK was for the 9124 model designed for a HP blade chassis. I looked at the PAK that was included in the box and sure enough it was an MDS 9124 kit for HP. But the order we placed was correct, the SKU on our wholesaler’s paperwork was correct, and Cisco even had a record of the correct purchase. Apparently somebody in the Cisco factory stuck the wrong piece of paper in the box.

The TAC engineer was certain that licensing could fix this issue, so he kicked the ticket back to them with his notes. Licensing again refused to assist, saying they could not issue a new license. At this point it had been 3 days of back and forth with Cisco. I went back to our Cisco partner sales rep, but he was unable to get anybody with authority to fix the problem. Finally we ended up back at the wholesaler. They spent two business days using their Cisco contacts to attempt resolution without success.

9 days after my initial contact with Cisco, the wholesaler ended up issuing two new certificates and eating the cost. Cisco gave the runaround to 1) My client, 2) My company, a Gold Partner and Academic Partner of the Year and 3) Ingram Micro, Cisco’s Global Distribution Partner of the Year. Cisco wasted all of our time and money, and ended up getting paid twice for the product.

One week later, I received an e-mail from a Cisco Licensing manager. Part of it said On cases like this, your point of sales should check if the Sales Order that they got from Cisco has the exact SKU that you ordered included in the SO#. If yes, it would be with manufacturing team providing the incorrect license claim certificate, which we could fix by escalating internally.This is exactly what I wanted when I contacted Cisco initially. All the paperwork was correct, but the licensing paperwork was not. This seemed to be an insurmountable challenge for the licensing team. My email chain with the manager ended with Rest assured, this is an isolated incident which has been reported internally on our end and I do hope that this does not happen to you again in the future.

Check the path – A lesson in PCoIP troubleshooting

I’ll start with the moral of the story – when you’re having network issues, check the entire path.

I had an ongoing issue on a client’s network involving VMware View 5 and PCoIP. All internal traffic worked fine. Any PCoIP traffic that passed through the Cisco ASA firewall timed out. I could not get PCoIP traffic to work externally through the DMZ. It was the same behavior you get when the firewall has blocked ports. However, the firewall rules all seemed to be correct. When I switched the View client to use RDP, it connected to the desktop.

I opened a ticket with VMware support. They performed a bunch of troubleshooting, including running custom utilities to validate that all firewall ports were open. Everything checked out, and they blamed the Cisco ASA. I found a View-related bugfix on the Cisco website and tried flashing the ASA, but the problem persisted. So I opened up a ticket with Cisco TAC. They did their troubleshooting including packet captures and found nothing wrong. Their analysis was that the internal View connection broker was sending a FIN message to terminate the PCoIP session.

Back I went to VMware support, and they again failed to come up with a solution. So I was sitting there one day and my eyes floated over to the network diagram hanging on the wall. BAM. The cause of the problem was staring me right in the face. The customer has a Cymphonix web filter device, it functions as a bridge between the Cisco ASA and the internal network core. I tried digging through the logs on the Cymphonix but found no evidence of any packets being dropped. I put in a call to Cymphonix support anyway. I discovered that the Cymphonix was definitely dropping the PCoIP packets.

I had run afoul of a feature called Anonymous Proxy Guard. It’s designed to prevent a user from bypassing the Cymphonix by using another proxy server. The feature detects the PCoIP protocol as an anonymous proxy and drops the packets. Cymphonix support couldn’t give me a satisfactory explanation for why the device didn’t/couldn’t log the drops. I reconfigured the Cymphonix to stop using Anonymous Proxy Guard for all traffic inbound and outbound from the View Security servers. Problem solved.

The next time you’re having a problem like this, trace the entire network path!

My CCNA certification experience

I achieved the CCNA certification in April. A number of people have asked me what I did to pass the exam, so I thought I’d write a quick post about it.

I had basic knowledge of how IP networks function, but knew very little about the nuts and bolts. I had distant experience doing basic T-1 support (is the interface up? Red or yellow alarm?), but hadn’t touched a Cisco router in over 4 years. I had never configured anything other than default VLANs and I had no experience with routing protocols.

When I decided to pursue the CCNA, I found I had 2 options – take the full CCNA exam, or take the ICND1 and ICND2 exams. ICND1 gives you the CCENT certification. Passing the ICND2 exam then gives you the CCNA. I typically prefer to take fewer exams, but in this case I thought splitting the exam content was a better choice. Cisco does a great job separating the focus of the exams. The ICND1 truly is basic networking. The OSI model, tons of subnetting, and basic Cisco configuration. The ICND2 is much more difficult for a server admin. There are plenty of exam areas that the average server admin hasn’t even heard of, let alone configured. OSPF, EIGRP, and frame relay were the main areas where I came in with no knowledge at all.

Just as I was about to start studying, my company made a corporate purchase of the entire CBTNugggets library. Jeremy Cioara’s ICND1 and ICND2 videos were the only study materials I used. The man knows his stuff and I clicked with his training style. I can honestly say that his videos are an amazing blueprint for the exams. If you can perform every task he goes over in the training, I would almost guarantee a pass on the exams. I watched the ICND1 series straight through without much difficulty. The ICND2 videos took much longer. I spent a long time watching and rewatching routing protocols to understand what was going on.

I had a client who was kind enough to lend me a pair of old switches that worked just fine for studying VTP and trunks. I wanted to follow along by building the same lab infrastructure as CBTNuggets, but I didn’t want to go buy a bunch of aftermarket routers and a frame relay switch, so I used GNS3 instead. I built a replica of the instructor’s equipment inside GNS3 so I could configure the exact same network that he was configuring. GNS3 can not emulate switches, so you either need to already know switching or you need to practice on physical switches.

I found the exams to be tough but fair. The typical Microsoft exam is memorize-and-regurgitate. The CCNA is nothing like that – you have to understand the material, then apply it. Cisco throws all kinds of questions at you – multiple choice, multiple answer, matching up columns, and live router configuration exercises. One thing that I really like about Cisco multiple answer questions is that they never give you the Microsoft style “Select all that apply”. Is it two answers? Three answers? Cisco always tells you how many answers they’re looking for.

Good luck in your certification pursuits!