Sunday, December 03, 2006
It has been two weeks since I officially joined Cisco and I still can’t believe it. I still can’t believe that I’m part of Cisco Advanced Services now, a team that I used to dream to join at any cost. Every day is an exciting day. Everybody is so talented. I can really feel to be a part of the team. I can understand the true meaning of team work. Be in touch with any other team members around the globe without boundaries.
So this is the company that has a vision to change the way we live, work, play and learn. Now the question is: how can I contribute?
Joining Cisco is not the end of the journey, it's just the beginning.
It is time to start living my dream.
Saturday, November 25, 2006
How can I live without credit cards?
So far it's been good. It's almost a week now I have been surviving in the new country without any credit cards. Everything has to be paid with cash. And we live in an era where people carry less and less money in their wallet. Strangely enough, most of places now prefer credit card more than cash. Take my hotel as example. When I informed them that I would like to pay in cash, I had to pay the whole amount of the room rate plus security deposit. If I paid with card, I didn't have to pay the deposit. So I guess people trust me more if I had my credit card.
Actually I was planning to use cash only for emergency purpose but now I don't have any options. This situation makes me plan more carefully in my daily spending. At least until I receive my first month salary :)
From the other point of view, actually this time is the first time in my life since ten years ago that I don't have any debt at all to any credit card companies or the banks. Live freely without any obligation to pay some fees every month. A life without debt.
Monday, November 20, 2006
In my last moment in Dubai, I have been trying to remember all the good things that happened to me in the past. Things that I like the most about Dubai:
- No-tax, yes if you make 1000 it means you bring 1000 home!
- Safe and Secure environment, crime rate is low
- Anything that you would like to see in the world, may probably exist here: pyramid, indoor ski, white beaches, rock mountain, opera house-like in Sydney, twin towers, 7-star hotel, world's biggest shopping mall and tallest tower will come soon, and they are planning to build something like Great Wall in China.
- Cars price is cheap, even low-skilled labor like me can drive BMW :)
- Girls are pretty, well they may not be available but it's good to see yourself surrounded by pretty girls
- Peaceful Moslem environment, there are so many mosques and I have seen some people even prayed next to the road because they are so keen to pray exactly at prayer time. I'm a moslem so having moslem environment is important for me
On the other hand, things that I hate the most about Dubai:
- Summer time, can reach up to 50 degrees celcius! Even the official never admits it since 50 degrees means public holiday
- Traffic jam, anyone can afford to buy car and there are so many new construction sites in Dubai and most of them disturb the traffic so it’s always jam and unpredictable not only during busy hours
- Apartment Rent is ridiculously high, Dubai is no.25 in the most expensive City in the world and frankly speaking I don't think Dubai deserves it
- To many hypes: for example in my opinion apartment rent price should not go up because there is no big changes in number of people living in Dubai, when the first time UAE stock market was opened the price went very high but now it reaches the bottom of the barrel, etc
Anyway, I really enjoy my time and I may come up with some other like/hate things later on. I have been in Dubai for almost 5 years so even I will go to my dream job but I still can feel that something is missing. Will continue later.
Saturday, November 11, 2006
Download the files with initial config here.
Hopefully they will launch the SP workbook soon.
Sunday, October 15, 2006
Well to be frank, I'm still waiting for the one ultimate offer from -you know who- that is supposed to come real soon. While waiting, I can learn to work as contractor and I still can make a good money.
And guess what? Working as contractor is awesome.
First of all, I become completely in charge of my work and my schedule. I have to make my own document template, project plan and even invoice. Every second is important since I have to achieve my target as agreed in the contract. I become really focus since I know exactly what to do. And offcourse, the real challenge is to make my customer happy and satisfied. It's a big task to make them feel like they made the right decision by investing their money in my services. And without any interferences and help from any Account Manager, Sales person or Project Manager from the company offcourse. I become all of them. I become the Account Manager, Sales, Project Manager, Consultant, Lead Designer, Senior Engineer and even as Accountant to calculate and get the bill. One man show.
One ring to rule them all.
So being a contractor means totally in control of our lives.
But how to start or to become a contractor? I'm still learning but I tried to make the list of things need to be taken care of if you want to work as contractor:
1. Statement of Work (SoW)
The most important thing needs to be addressed first is the scope of work. Anything we are going to work on during the contract should be written clearly. With this way, we can start working on the project plan, calculating the time allocation and put milestone in each target. The good thing about my customer is I know them very well so we can discuss and reach the agreement for the scope within short time.
2. Legal Issues
After we agree with the customer about the SoW, it's time to make it official. Contract has to be signed by both sides to make it legal. In the contract it will be mentioned about the term and condition, and I believe the following are the most important:
- duration of the contract
- total fees of the contract
- person in charge we are going to work with or reporting to
- criteria of the completion of work
- how if one side wants to terminate the contract earlier
- it can even go into detail such as expected working hours and so on
3. Financial Issues
There are two main issues related to financial: are we going to charge in hourly, daily, weekly or monthly basis, and how the customer can pay us. For me I prefer to calculate the rate in daily basis, then provide the fee for a month with discounted price. This is my first contracting job so I prefer to work in monthly basis, even my fee calculation was based on daily basis, since it makes me able to arrange all accomodation and transportation easily.
Regarding the payment, the bad news is sometime our potential customers don't have any policy to pay to individual directly. So either we have to work with our customer closely to find a way, or we have to use some company's name that normally willing to provide help with certain fees.
4. Report and Milestones
I always like to make my customer fully aware about my work so I think it's a good idea to provide periodic update and report. For 1-month contract I believe weekly report should be enough. I don't want to waste the precious time during the contract to conduct a meeting only to update the customer, so unless it's really required I prefer to discuss about the progress through email and it should put everyone in the loop.
5. Closure of the Project
Since all the scope and the criteria of completion have been defined clearly, it's easier to close the project and the contract. This is the reason why SoW and the legal contract are the most importants factor for a succesful job. All documentation, plan, drawing, testing result, and report must be consolidated and submitted at the end of the contract.
6. Supporting Items
Well, if we have to work in another country for sure we are going to need temporary working visa, accomodation and transportation. We may require to have proper communication channel with the customer, for example dedicated GSM line and e-mail address only for one customer. My current customer provides one temporary email account that I can use to communicate with them.
There are some other way to make it easier to work as contractor. I have been contacted in the past by few agencies in Dubai that offered me contracting jobs as well. So instead of dealing directly with the customer, I can work for those agencies and I don't need to worry about SOW, legal issues and the payment. Those agencies have alredy had everything in place. They can even provide visa, accomodation and transportation. So I just need to work in customer site and collect the paycheck by the end of the month from the agency.
Well, surely there are some of you who have done this for years. So if you have any other suggestion for contractor wannabe like me, please share it here.
Sunday, October 01, 2006
Well, actually it's not that bad. I have several offering letters in my hand from different types of company. The first one is from a local company who wants me to work with them in multi-million dollar projects with UAE goverment. The second offer comes from my own company. Well, after 3 months acting like they don't need me anymore suddenly in the last day they came and really gave me a good offer. The third offer is from one multi-national and Cisco Gold partner company that unfortunately doesn't put Cisco as its main business. And the last but not least, I received an offer from one consulting company who makes lots of money only from consultancy services.
I haven't decided which one to go so until I make my decision I will stay jobless. But fear not, I still have enough saving to allow me to play snowboarding even I have to start eating ramen noodles. And I was able to add several TV show series into my collection: Scrubs season 1 to 5, Prison Break season 1, and Lost season 1 and 2. So it looks like I will be able to enjoy my unemployment time with style.
Jobless with style.
Sunday, September 10, 2006
Conversation between John Henry Giles, a musician and the patient, with Dr. Gregory House. Taken from House, Season 1 Episode 9 "DNR"
What do you want to be when you grow up?
It's easier to answer this question when we were kids. We could reply wihout thinking: a doctor, police officer, kindergarten teacher, or even the president of United States. But when we grow up, our minds start connecting between what we want to be with our current condition. Take myself as example. When I took my mechanical engineering degree, I thought becoming one of the Formula One racing technical team would be my dream job. When I built small Jet Engine as my final project in university I thought my life would be ended in Boeing or McDouglas. And when I passed my first CCIE I thought I would become one of the guys who invent the next communication protocol.
Have I found what I want to be in life?
I'm not quite sure. But obviously it's a bit late for me to switch from my current field. So for the rest of my life I may need to deal with Networking. But netwoking contains lots of area such as security, wireless, metro ethernet, MPLS and so on. And as far as I know, I can't be good in all area. I need to focus. Focus, focus and focus only in certain area. Find the 'one thing' that I really want to do and become the best on it.
For quite some time, I thought CCIE would be my one thing. It's true to some extend. During my two CCIE journey, I didn't have any interest in life other than my lab console. I kept thinking about it, I forgot any other things in this world other than it, my mind was so focus to it. But it's only for temporary. Once I passed, I got back to normal life.
So what will be my one thing in life?
Again, I'm still not sure. I have been in Networking for more than 7 years and I have spent the last 5 years in network security related field. But I know my interest is not 100% in security. I can figure this out because I know if I really want to be the best in security then I have to learn programming language in-depth and OS memory allocation since those two are the main keys to understand zero-day buffer overflow attack. But I didn't do that.
So if it's not security what would it be?
I had a chance to chat with Dmitry Bokotey, a quad CCIE and author for several Ciscopress books, yesterday and he gave me the same advice: to be the best you have to focus in one area only. Working in multiple area can destroy my career and credibility. And it's better to sacrifice my income if that's the only way to be able to specialize myself. I have been in Enterprise network for quite some time working with routing, switching, wireless, network security and all other campus network components, so he advises me to jump to Service Provider.
Becoming a specialist in Service Provider technology like MPLS or metro ethernet is not a bad idea at all. Plus I'm planning to take the CCIE SP lab so I'm still in the right track. And I have a great interest everytime I read anything related to MPLS applications such as Layer 3 VPN or Traffic Engineering. Yes, I think I can do this. The only question is: can I afford to miss all other things in life to achieve something that I believe will be my one thing?
Do you think it's a good idea to want to be the best? Sacrifice everything for one thing that can make me great? Or perhaps it's better to stay as regular person but still able to enjoy my life?
As always, the answer is: it depends. Life is a matter of preferences.
But one thing for sure, if someone can stay focus in one area and trully believe in it, he can end up in a very special place. Stand out from the crowd. Far beyond the ordinary.
So what is your 'one thing', if any?
Friday, September 01, 2006
Several months ago I wrote 'How to Become a CCIE', a step-by-step for wanna-be-CCIE out there based on my own experience passing two lab exams. In point no. 3 I mentioned that it's compulsory to have a home lab to be able to practice anytime.
How if we can save some money by not buying the equipment but using simulator instead? Thanks to Christophe Fillot, the author of Dynamips - Cisco 7200 Simulator, now it's possible to have a full CCIE lab in our PC.
The idea of this simulator is to emulate Cisco 7200 environment with MIPS processor in normal PC, so we can boot the genuine IOS for Cisco 7200 with 12.2 and 12.4 version. It can simulate various type of network modules such as PA-4T or PA-TE-FX to provide enough serial and ethernet interfaces. The simulator offers virtual ATM, FR and ethernet switch too. If we can simulate 8-9 routers, with ATM, FR and ethernet switch, and put proper interconnection between those routers..voila! we have a complete CCIE lab!
Actually this simulator has been around for quite some time. But when the first time I used this simulator, I faced so many minor issues that almost made me stop thinking about the idea to simulate CCIE lab. Before I found Dynagen, the front end interface for Dynamips, I had to map the port manually between interface in one router to another interface in another router to provide interconnectivity between them. That's because each interface in this virtual router consumes 1 UDP port. So if we want to connect one router to another router with serial connection, we need to map udp port that represents the serial interface in the first router, to the udp port that represents the serial interface in the second router.
The beauty of this is: we can connect virtual routers in one PC to another virtual routers in diferent PC through normal TCP/IP connection.
But if you have to do the mapping manually for let's say 8-9 routers..hmm, it's better to do something else with our life.
So I like to share the step-by-step how to setup CCIE lab in the PC quickly, so you can join me and all my friends who already started pursuing CCIE in this new and cheap way :)
1. You need a good PC for this simulator.
I bought a new PC for this purpose. It's a Shuttle XPC SD36G5 with Intel Dual Core 3.2 GHz and 2 GB DDR memory. Small but powerful.
With Windows OS I can simulate up to 11 routers. With Linux OS in the same machine I can simulate more than 15 routers. I read it somewhere that it's because the limitation in Windows for one process, such as this Dynamips, can take only up to 2 GB memory. While in Linux the limit for one process is 3 GB. So if one virtual router uses 128 MB, multiple this number by number of routers plus additional memory usage by the process, it makes sense to have the process crashed when the number of routers reaches more than 10.
But fear not, there are so many ways to resolve this problem. Use Linux is one solution. Or just run Dynamips in two different processes.
Surely you don't have to compete with my PC. Any decent PC with lots of memory should be enough.
2. You need Cisco IOS for 7200 routers.
Don't ask me, please. I am not allowed to distribute any IOS image.
Just get it from your close friend who works in Cisco partner and can download this IOS for you.
Since IOS comes as compressed binary, we need to unzip it first and keep the .bin extension:
$unzip -p c7200-js-mz.122-25.S9.bin > image.bin
I use the enterprise feature with 12.2.29S version.
3. Download Dynagen and Dynamips.
If you want to use Windows, Dynagen in SourceForge has already provided a package with Dynamips included and all the scripts to make our life easier.
4. Find the idle-pc value to avoid 100% CPU utilization.
Without idle-pc feature, even 1 single virtual router can shoot our PC CPU to 100%. To find the idle-pc value is simple:
- run one router with Dynamips (not Dynagen)
use the same IOS, NPE and memory that you want to use for your lab. For example, I choose NPE-400 and 96 MB ram for each virtual router:
$./dynamips -t npe-400 -r 96 image.bin
- wait until the router completes the booting process and give you the prompt
- go the enable mode and save the configuration with write memory
- press “Ctrl-] + i” sequence key, and it should give you similar output like below after few seconds:
Please wait while gathering statistics...
Done. Suggested idling PC:
Restart the emulator with "--idle-pc=0x60693f8c" (for example)
- exit the simulator, you can do this by reloading the router
- run dynamips again with -idle-pc option with one of the value that you got from previous step:
$./dynamips -t npe-400 -r 96 -idle-pc=0x60693f8c image.bin
- monitor your PC CPU utilization, if it's still low than you are set to continue. If you still get 100% CPU utilization, try different value for the idle-pc option.
5. Run Dynamips in Hipervisor mode
We need to tell Dynamips to run in hipervisor mode which is basically waiting for connection in TCP port 7200 (default) for next instruction from Dynagen.
In Windows, there is a script called 'dynamips-start.cmd' to do this.
$./dynamips.exe -H 7200
Cisco 7200 Simulation Platform (version 0.2.5-RC2-x86)
Copyright (c) 2005,2006 Christophe Fillot.
Hypervisor TCP control server started.
Shutdown in progress...
6. Create the Dynagen config file
Dynagen is awesome. The configuration is a text file that very easy to understand. It comes with sample labs and a text file, all_config_options, that explains all available options.
To practice IE Mentor and IP Expert CCIE Service Provider workbook, this is how I built my dynagen config file:
#I want to boot my routers manually
autostart = false
#I have the Dynamips in the same PC I run this Dynagen
#This is where I specify the location of IOS and options for NPE, RAM and idle-pc value
image = /home/himawan/IOS/c7200-js-mz.122-25.S9.bin
npe = npe-400
ram = 96
idlepc = 0xffffffff8075374c
#Each router's name and connectivity information, only showing some of them here
f0/0 = CoreSW 1
f0/0 = CoreSW 2
f0/0 = CoreSW 10
f1/0 = CoreSW 11
a3/0 = A1 1
s2/0 = ASBR1 s1/2
f0/0 = CoreSW 15
s1/0 = ASBR2 s1/0
s1/1 = ASBR2 s1/1
f0/0 = CoreSW 16
#section for virtual ATM and ethernet switch, only showing few ports here
1 = access 13
2 = access 23
3 = dot1q 1
1:1:100 = 2:1:100
As you can see the configuration file of Dynagen is very easy and straight forward. We can build as many routers as we want and put the interconnectivity information under each router. The good thing about Dynagen, we don't even need to specify which network module want to load, it will figure it out automatically.
For example, when I ASBR1 s1/0 is connected ASBR2 s1/0 interface, Dynagen will load PA-8T modules to those routers when I boot them. And one more thing, since I have specified it under ASBR1, under ASBR2 I don't need to specify that s1/0 needs to connect to ASBR1, Dynagen will take care of it automatically.
Under the virtual switch, we can assign either VLAN or dot1q trunk to the port. And for ATM switch, we can assign the value for VPI/VCI easily. Awesome, eh?
7. Execute Dynagen
Once you finish with the configuration, just make this file as executable in Linux or run Dynagen to use this configuration file:
C:\Program Files\Dynamips>dynagen.exe iementor.net
Reading configuration file...
Network successfully started
Dynamips management console
Name Type State Server Console
CE1 c7200 stopped localhost 2000
CE2 c7200 stopped localhost 2001
CE3 c7200 stopped localhost 2002
8. Start the routers, offcourse, and start playing with it!
=> start CE1
100-C7200 'CE1' started
If you don't put the Dynamips process in the background, you should see something like this:
CPU0: carved JIT exec zone of 16 Mb into 512 pages of 32 Kb.
C7200 instance 'CE1' (id 0):
VM Status : 0
RAM size : 96 Mb
IOMEM size : 0 Mb
NVRAM size : 128 Kb
NPE model : npe-400
Midplane : vxr
IOS image : c7200-js-mz.122-25.S9.bin
Loading ELF file 'c7200-js-mz.122-25.S9.bin'...
ELF entry point: 0x80008000
C7200 'CE1': starting simulation (CPU0 PC=0xffffffffbfc00000), JIT enabled.
You can even see the booting process if you want, by connecting to the console port which is starting from TCP port 2000 by default:
=> telnet CE1
telnet 127.0.0.1 2000
Now you have your lab ready, what are you waiting for?
Two more additional steps:
9. Googling or RTFM when you have problems
Read Chris's blog, check the FAQ, read the Dynagen tutorial, googling.. don't be lazy!
10. Simulating remote lab
I have a good PC at home but I have already got used to my IBM Thinkpad keyboard to practice CCIE lab. So what I did to simulate remote lab is:
- start Dynamips in Hipervisor mode in my home PC
- start Dynagen from my notebook, with modification in the config file, instead of [localhost] I specified [homePC_IP_address]
- once I connect to Dynamips, I start any routers that I like
- create shortcuts in my notebook Windows desktop such as CE1, CE2, ASBR1, R1, R2 and so on which is basically telneting to my home PC in respectable TCP ports
CE1.cmd file: start "CE1" telnet 127.0.0.1 2000
CE2.cmd file: start "CE2" telnet 127.0.0.1 2001
and so on
Now I just need to click CE1 shortcut to connect to CE1, CE2 to connect to CE2 and so on. It gives me the same feeling like when I had my CCIE lab in Brussels.
One thing to remember: this simulator can only simulate routers with ATM, frame-relay and virtual switch. It means if you are planning to go to CCIE lab other than R&S and Service Provider, you still need to buy some equipments such as Firewall for Security track or router with E1 interface for Voice track.
And also if you have less experience with Cisco IOS behaviour, when you face some issues in your lab you may not be able to distinguish the cause of the problem whether it's because of wrong configuration or Dynamips bugs or IOS bugs or lack of faith.
I may still require to rent a rack for some equipment that can't be simulated just like Cisco 3550. But the amount of time required in renting should be reduced significantly with this simulator.
So practice with simulator at home, and rent a rack several days before the exam.
It sounds like a good plan.
My only challenge now is that my PC is so powerful for gaming, especially after I added NVidia GeForce 6800XT 512Mb PCI Express graphic card. I can play The Battle for Middle Earth, Star Wars Empire at War, Ghost Recon Advance War Fighter and my most favorit game for whole time: Battle Field 2 with highest quality.
So now my CCIE SP plan has to compete with Snowboarding and Battle Field. What a tough life!
Thursday, August 24, 2006
James Blunt, chasing time: the bedlam sessions
My life is brilliant.
I am a dreamer but when I wake,
You can't break my spirit - it's my dreams you take.
I have seen fear. I have seen faith.
Seen into the eyes of the weak.
Does everyone have a different take?
Life goes on.
Look who's alone now, It's not me.
I'm just chasing time again.
But now I'm high; running wild among all the stars above.
How I wish I had screamed out loud,
Instead I've found no meaning.
I guess it's time I run far, far away; find comfort in pain
And I see no bravery, Only sadness.
Do you see my guilt? Should I feel fright?
Is the fire of hesitation burning bright?
Won't you be a friend of mine to remind me what is real?
Hold my heart and see that it bleeds.
I'm out of my mind.
Wednesday, August 09, 2006
After taking 5 lessons and fell down miserably last week, and got small bruise and scar in my face, I started questioning my decision to ride goofy from the 1st lesson. At that time my instructor told me to put the strong foot in the front, and for me it means my right foot, hence I became goofy. But just like in CCIE, it looks like you can't trust a single source. I read The Snowboard Book from Lowell Hart, and he mentioned clearly that "Snowboarding is, literally, life on the edge". Any snowboarders should be able to balance both edges from heel to toe. When I ride goofy, I can stop with my heel edge very well, but I can't do the same using my toe.
So after 1 week forensic investigation to examine why I fell, I figure out that with my left foot in the back, it's so weak and not helpful to control the board. I can make a right turn easily, when facing downhill, because my right foot in the front can turn the board around. But everytime I try to make a left turn, my left foot can't provide support to turn the board and I can lose control easily. I believe this is the reason why I fell. Case closed.
Yesterday I decided to ride regular for the first time. That's quite funny. After spending 3 weeks I still can't figure out which ride is better, goofy or regular. But I believe that's one of the lessons from this story: always evaluate yourself. And the second lesson: Trust no one, even Agent Mulder. Always try to get different resources for comparison.
And the result for my first regular riding experience? Not bad.
I fell down only about dozen times, and that's because I was trying to ride my board over the rail, one of the freestyle tricks. I was able to link the turn to make multiple S patterns. With my right foot in the back, I can use it to get more control to the board. When facing downhill and make a right turn, I can use my right foot to bring the board to toe edge position. And when facing uphill and make a left turn, I can use my right foot to bring the board to heel edge position.
So I'm regular, and I have decided to stick with 150 board.
I'm regular just like most people.
It sounds so familiar, doesn't it? I'm a regular person. Even I have two CCIE but I'm not an expert. It's difficult for me to distinguish myself.
So it looks like I have to do something about it.
I'm thinking about my CCIE Service Provider plan.
Snowboarding and CCIE. It may works.
Saturday, August 05, 2006
The first keyword that I typed in the search engine, obivously, is CCIE. And I couldn't stop laughing when I saw the result.
But seriously, if you are reading this and interested to apply for that job, please forward your CV to me. I can help you to forward it directly to the right person in charge.
Well, at least until the end of this month.
Happy job hunting.
Tuesday, August 01, 2006
After introducing myself, I told them that I need to wear my sunglasses during the interview to cover up the bruise in my face. When they asked me what happened, I almost said that I don't want to die without scar. But then I remember the first rule of Fight Club is you don't talk about Fight Club. So I told them the truth that I fell and fainted in Ski Dubai the day before.
Guess what? The interview became smooth afterwards. When they found out that I have another life other than geeking out all the time, it's relatively easy to talk. And since I have two CCIEs I guess they decided that it's not necessary to verify my technical skill.
This company does almost similar with what my current company does, so other than the new environment I don't think there will be much changes if I join them. But I don't bother. I guest I have reached the point where I can separate my personal life with my job, something that almost impossible to be done before. Being jobless for some time and keep waiting hopelessly for Cisco to hire me really taugh me a lesson that it's better to work in any company and have my life outside the workplace.
So bring it on, just give me any job. That's not my life anyway.
I left the place with the promise from them to send the offer as soon as possible.
The second company is quite different.
First of all, it's a government company. And the second, I'm going to manage the internal network. Huge network. Most probably the biggest in this region but it has never been published due to confidentiality concerns.
I'm a big fan of government agency-related TV series such as X-Files or 24, so somehow I feel excited about it.
Third, not only the network is huge but it also utilizes various equipments and latest technologies. I know if I decide to join them I will have to sign Non Disclosure Agreement so for sure I will not be able to share my work to anyone, not even in this blog. But remember the separation between personal life and work? Why can't I have exciting work environment and do exciting activities outside working hours?
And last but not least, the money is good.
While driving back home, I got a phone call from one telecommunication provider in UK. The technical discussion was fine, and the HR personnel asked me to check with UK local embassy whether I can get working permit as computer-related engineer eventhough I don't have bachelor degree in computer-related. Other than this issue, I believe they are interested to continue the process.
I have new different choices now. And it all happens in one day.
Thank you, God.
Monday, July 31, 2006
For me, if I can die without scar is still fine. I would never wish for such things. But sometime things come up and given to you whether you like it or not.
So yesterday I fell down in Ski Dubai and fainted. I believe I was exhausted since I had been practicing the S-turn for couple of hours. It was my last run and suddenly I fell.
The most scariest thing is I can't remember how I fell. I remember I started my falling leaf and then blank. I fainted. I woke up and found myself on the snow with broken sunglasses and bleeding mouth. Half of my face was numb. Two medical officers run to help. One of them asked me the date. I told him, how the heck I know. Even in normal circumstances I can't remember the date. He told me that I'm fine. Then they took me to medical room, gave me some ice and dropped some liquid to my eye. I went home driving alone with the ice sticked to my face.
I didn't know how bad it was until the next morning, today. I looked at my self in the mirror and I saw a bruise under my left eye. Little scar next to my eye and dried blood. It's not that bad.
The only bad thing is I will have two job interviews in the next couple of hours.
Have I done something bad to my head?
Hopefully not. My brain is the only thing that I have now to get me a new job. The most precious gift from God and I hope I can pass the interviews today with it.
With the bruise and scar in my face.
Friday, July 28, 2006
When I was small, I used to play soccer as goalie until the 2nd grade when I realized that I have to use eyeglasses. Minus two.
That explains why I was never been able to catch the ball, I thought.
Anyway, since that time I have never been involved in any serious sports anymore. I do sport only in my PS2. Soccer? Winning Eleven for sure. Golf? Tiger Wood's. I can even drive very fast in Need for Speed. Well, at least I can have exercise for my thumbs.
I swim almost every day in the small swimming pool on the roof of my new apartment, but I don't consider it as sport. Sport means get sweaty. Playing inside the water for an hour or two definetely will not make me sweaty. Or perhaps that's only because I can't distinguish between the pool water and my sweat? Hmm.
After I decided to resign from my current company, I was looking for some activities that I can do only in Dubai. I want to do something that make me remember this place. You never know, I may not get a chance to work in this country anymore.
Dubai offers quite lots of activities, for both outdoor and indoor. The only drawback is during summer the heat can go beyond 50 degree celcius. Even local authority never confirm this, since according to the regulation beyond 50 degree all outdoor activities must be stopped completely, but you can see it really happens if you have temperature sensor in your car.
So four wheel driving in the desert, no way. Surfboarding, too hot. Rock climbing, never seen it and even it exists it will be too hot. Drag racing, no I don't consider it as sport. No sweaty. Perhaps the people who watch will get sweaty hoping their love one to win, but nah. And it's too expensive!
Then two weeks ago I was roaming around one of the shopping mall in Dubai when I saw one activity that I always wanted to do but never had guts and chances to do it because of the nature of my work and my CCIE journey.
Dubai has the world's third largest indoor ski slope and the only one in the region, offcourse, called Ski Dubai. Measuring 400 meters and using 6000 tons of snow, it offers consistent -1 to -2 degree celcius temperature. So only in Dubai you can experience 50 degree celcius in the desert and sub zero in Ski Dubai, in the same day!
Since I have decided to drop my CCIE Service Provider journey until Cisco upgrade all the lab equipments to 7200 series, I have plenty of time to spent. So here we go. I registered my self for snowboarding beginner class last week.
After 3 lessons and falling down around 2347 times, I realize what the most important thing in snowboarding. Control. And just like CCIE, what requires is practice, practice and practice. The good thing is I don't have any target to catch. There is no exam that I need to attempt. Only that there will be snowboarding 5-days bootcamp starting on August 5th to learn freestyle from Burton's professional snowboarders and I don't want to miss it.
I have to be in Level-2 to be able to join this bootcamp, this means I must be able to perform S-turn and small ollie in beginner slope.
Well, looks like I have to get ready then.
I'm a goofy and my board is 145.
Practice, practice, practice.
Thursday, July 20, 2006
So it looks like I won't be Triple CCIE by 30.
And for sure I won't be Triple CCIE while still in my current company. I have resigned three weeks ago and my last day of employment will be October 1st, 2006. From now until my last day I will be busy completing some projects, looking for a new job and preparing myself for the updated CCIE SP lab.
It's quite funny. I will be jobless in couple of months but I'm not afraid. I have no car, I live in strange country alone, and I slept in my rental car couple of days ago because they kicked me out from my apartment, but I'm still feeling good! My mind is free because now I'm the one who controls my schedule, my projects and my life.
I breathe the free air.
And since I have sold all my labs to gain my financial status back to balance, now I can only practice with remote lab. At home I'm using Cisco 7200 Simulator in my laptop to simulate an ISP network with 3 P and 3 PE routers. The simulator surely brings down my laptop down to its knee with 100% CPU utilization all the time, but it's good enough to keep me busy.
So no car, no job, no home, no lab, live alone. But I'm free.
"It's only after you've lost everything that you're free to do anything."
-- Fight Club
Saturday, July 15, 2006
Read the announcement from Cisco here.
With the introduction of 7200 series routers to CCIE lab starting November 2006, all my calculation has been changed completely. Why taking CCIE now if you know after November you will have chance to have "real world" scenario in the lab? With 7200 most probably several features that were not tested before, i.e. L2VPN Martini, will be added to the lab.
Now we are back in business.
Thursday, July 06, 2006
Routing to the Edges, CSA, Call Manager, Unity, 802.1x, WPA-2, Video Phone, HDV, PVDM2, CiscoWorks, MARS, ACS, Radius, ATM E3, AAA, Layer 3 Roaming, VG224, Load Balancing, Transparent Proxy with WCCP, VTP mode Transparent, Route Target, Port Channel, OSPF Area Authentication, DHCP Option 150, Firewall vlan-group, NTP, High Availability, Dial Peer, Calling Searh Space, BGP Route Reflector, SSHv2, VRF, Call Park, LDAP, 3750 StackWise.
All in 25 days.
Saturday, July 01, 2006
I still can’t believe it. Finally it really happens.
I still can’t believe finally I can tender my resignation letter.
After 4 years, 4 bloody years.
As per my contract, I have to stay in my company for another 3 months to complete all the projects or hand them over to my successor.
What’s wrong with my company?
It’s only that I’m not ready to end up here.
I feel like a big fish in a small pond.
I want to go to bigger pond. I want to go to the ocean.
I may go down drowning over there, but at least I have to try.
And it’s not only a bigger pond.
I want to go to a place where people judge me only based on my expertise and my capabilities to deliver the work. And nothing else.
I want to go to a place where I can grow.
Where I can’t see the end of the road.
The place that respects me for what I can do.
You may call me a dreamer.
That place may not even exist.
After 3 months, I may find myself standing in nowhere.
But instead of die in curiosity keep thinking about it, it’s better to try to find out.
And I still have time to dream until 1st October.
So please wake me up when September ends.
And if you know that such place really exists, please let me know.
Friday, June 23, 2006
The picture shows the Campus Network building blocks model that is the most common topology in Enterprise Network. It contains Access or Edge Switches where the end users are connected, Distribution Switches as aggregation point for the Access Switches, Core Switches as the central of the network, and Server Farm Switches to connect all the servers.
Why do we need such blocks model? Because it’s modular and scalable. Most of the time we use duplicate hardware and multiple connection links on each block to provide redundancy. Connection to the Internet, through the firewall, can be facilitated by connecting the Internet building block to the Core Switches. And it applies to connection to branch offices as well, called Wide Area Network (WAN), the building block can be connected to Core Switches. I don’t draw both Internet and WAN blocks for the sake of simplicity.
Cisco Systems offers service module on its chassis-based switches. The most common modules that my customers opt to buy are Firewall and Intrusion Prevention System (IPS) blades that are installed on Server Farm Switches to protect the servers. Firewall modules or well known as Firewall blades will be one of the key of implementing MPLS VPN in my scenario.
So what are the requirements? My customers have 8 different users group that are separated into 8 different VLANs. All those VLANs shall communicate to each other without any restrictions except for the 8th VLAN: they must not see the other VLANs at all, but some selective users from different VLANs should be able to establish one-way communication to that 8th VLAN. The 8th VLAN will have its own Internet connection through ADSL, and not through the main Internet link and Internet building block, and it considered to be out of my customer administration control completely. So the main idea is just like having De Militarized Zone (DMZ) inside the internal network separated in different edge switches location!
In normal circumstances, I would configure inter-VLAN routing on the closest Layer 3 Devices to the end users, and put Access Control List (ACL) to provide the restriction. The problem with this approach: administration overhead to maintain the ACL. Any modification on the ACL requires any reconfiguration on all those Layer 3 Devices.
So I chose more elegant way by simply enabling MPLS VPN. Especially since the hardware used in this scenario are Cisco 6500/7600 model with Supervisor 720-3B module that supports MPLS in the hardware.
Following is the step-by-step how I accomplish my goal:
Step 1: Physical Connection
As it showed in the picture, there are multiple links to provide redundancy. Access Switches are connected to 2 different Distribution Switches, each Distribution Switch is connected to both Core Switches and they are connected to each other as well. Server Farms Switches are just like another distribution switches: connected to each other and to both Core Switches. The connection between Distribution – Core – Server Farms is utilizing high speed 10 Gigabit per second fiber links. Connection between Access to Distribution can use 1 Gigabit per second or more with Ether-Channel technology, and it depends on the over-subscription ratio: the ratio between number of end users and the uplink. Access Switches can be stacked, and with the new StackWise technology from Cisco on 3750 series switches, all access switches in 1 stack act as 1 switch with combined number of interfaces.
Step 2: Connectivity with Interior Gateway Protocol (IGP)
The next step is to provide connectivity with IGP Routing. I chose OSPFv2 and put Core, Distribution, and Server Farm Switches into Area 0 Backbone. Connection between Distribution to Access, most of the time it is the Switch Virtual Interface (SVI) or VLAN Interface, is placed into different area to facilitate Summarization into Area 0.
The 2 Firewall blades installed in 2 Server Farm switches are configured in Single Context mode and active-passive failover. We must configure 1 VLAN between Server Farms Switches and the Firewall blades, and this VLAN acts as the “Outside” network for the Firewalls. OSPF Totally Stub Area is configured between 2 Server Farm switches and the active Firewall, to inject only default route to the firewall blade pointing to the switches, and to get the routes to all the Servers networks behind the Firewall blade.
For connection between Distribution to Access, if I terminate Layer 2 VLAN in Distribution Switches with SVI, Distribution Switches will be the routing gateways for all the end users. But if I want to have the same VLAN spans across multiple Access Switch stacks, then I need to run Hot Standby Routing Protocol (HSRP) on both Distribution Switches and I must have Layer 2 Link or Trunk between Distribution Switches. Having layer 2 Trunk between Distribution Switches, and from Distribution to Access switches, can forms Layer 2 loop between Distribution – Access – Distribution and it forces me to rely on Spanning Tree Protocol (STP) to break this loop. Now I have 3 different protocols running in my Distribution Switches: IGP, HSRP, STP and I require to sync the configuration on all those 3 protocols.
I don’t want to get into that complexity, and since my Access switches are Cisco 3750 with EMI software, I decided to run Layer 3 Routing between Distribution and Access. So Access Switches are the gateways for all the end users now. Having Routing to the Access model provides several benefits: there is only 1 protocol for connectivity within the network which is the IGP, we can use Layer 3 tools such as Ping and Traceroute to verify end-to-end connectivity and not bother to check all Layer 2 parameters such as STP root bridge etc, and by default IGP provides equal cost load balancing to utilize better of all the uplinks from the Access to Distribution.
The link from Distribution to Access can use Ether-Channel to provide more than 1 Gbps connection. It’s a Layer 2 Trunk that allows only 1 VLAN to pass through and this VLAN is used as Layer 3 link from Access to Distribution. I can make the Ether-Channel interface as Layer 3 port directly but I would need another Layer 3 link for my MPLS VPN. It will be explained next in Step 4.
Step 3: Enable MPLS LDP on all MPLS-enabled devices
This step is straight forward. By default with current IOS version, Cisco enables Tag Distribution Protocol (TDP) instead of Label Distribution Protocol (LDP). So what I need to do is only defining 1 loopback interfaces as my Router ID and enabling LDP on all interfaces required.
Cisco 3750 access switches don’t support MPLS labeling. So in my scenario the MPLS cloud is formed between Distribution – Core – Server Farms. Core Switches act as P routers and both Distribution and Server Farms Switches act as PE routers.
Quick verification can be done by looking at the LDP neighborship on each MPLS device. Up to this step, we have already had our MPLS backbone ready for the real application: MPLS Layer 3 VPN.
Step 4: Virtual Routing Forwarding (VRF) and PE-CE links
It’s time to enable VRF on each Distribution. Define the Route Distinguisher (RD) and Route Target (RT) and assign the PE-CE links into the VRF. If I chose the Routing to Distribution model, where Distribution Switches are the routing gateways for all end users, the PE-CE links are the SVI interfaces.
But since I decide to have Layer 3 Routing between Distribution and Access, then I need to create another VLAN for Layer 3 link from Distribution to Access. So now I have 2 VLANs for Layer 3 links between Distribution and Access: 1 for the global routing and 1 for the VRF.
Cisco 3750 switch with EMI software supports multi-VRF or VRF-lite feature. Basically with this feature we still can’t do MPLS labeling but it can extend the VRF from Distribution to Access switches. So in any Access switches where I have the 8th VLAN, what I need to do: create the VLAN, assign particular ports into the VLAN, create SVI or VLAN interface as the default gateway for the end users, create VRF with Route Distinguisher, then assign the SVI into the VRF. The same VRF will be assigned to one of the VLAN for layer 3 links to Distribution. Now I have VRF all the way from Distribution, Layer 3 Link between Distribution and Access, and the SVI in Access switches.
Since the 8th VLAN Interface will be part of VRF, the subnet will not show up in global routing table in any Access Switches hence it won’t be able to communicate to any other VLANs even in the same Access switch.
Communication between PE – CE can utilize Static, RIP, OSPFv2, EIGRP and even BGP. If there is only 1 VLAN just like in my scenario, I can use Static Routing for the sake of simplicity. So Distribution will have static route for the 8th VLAN pointing to the Access Switch, and the Access Switch can have Static default route pointing to both Distribution Switches. If I want to use OSPFv2 and on each Distribution it has to run in different Process ID than the OSPFv2 that provides connectivity for global routing.
All the users in 8th VLAN can reach each other within the same Distribution Switches. Now it’s the time to connect them to another Distribution Switches and Server Farms.
Step 5: Multi-Protocol BGP (MP-BGP) and Route Reflectors
MP-BGP is used to transmit the VRF routes from one PE to another PE. The first thing we need to do is to make both Core Switches as BGP Route Reflectors, to avoid having a fully mesh topology. All PEs are required to establish the communication to Route Reflectors only. Remember, with MP-BGP we need to configure Address Family VPNv4 under BGP Routing configuration, activate the neighbors and enable BGP Extended Community to transfer the Route Target parameters. Route Target is used to define with route will be exported and installed on each PE router.
On each Distribution Switch, all Static or OSPFv2 routes that is used in PE-CE connection need to be redistributed into BGP, and all BGP VPNv4 routes achieved from another PE need to be redistributed into the VRF OSPFv2. If we use Static Routing, default gateway has to be configured on each Access Switches pointing to Distribution.
Once we complete this step, all Distribution and Server Farm Switches should be able to see all 8th VLAN routes inside the VRF routing table.
Step 6: Connecting the VPN to the Global Network
Connectivity between 8th VLAN in different Distribution Switches has been achieved, now it’s time to connect this VPN to the rest of the network that I call Global Network. Firewall blade is the key here. It protects all the servers and at the same time it acts as the meeting point between 8th VLAN VRF and the rest of the network.
Between Server Farm Switches and Firewall blades, we have already configured 1 VLAN as the Outside network for the Firewalls. So any traffic to the Servers from all user VLANs, except the 8th VLAN, get into the Firewalls through this Outside network VLAN. Now we need to create another VLAN between Server Farm Switches and Firewall Blades, and assign this VLAN into the VRF. This VLAN will act as DMZ network connected to Firewall Blades.
By default Cisco Firewall modules only allow to have 1 SVI or VLAN interfaces in single context mode to act as Outside interfaces. To circumvent this problem, we need to enable firewall multiple-vlan-interfaces feature. Use this feature with caution! Wrong configuration may lead to the traffic bypassing the Firewalls to reach the servers.
Once we have another VLAN acting as DMZ for the Firewalls, we can setup the Access Control List in the Firewall blades to allow communication from the VPN to the servers, or communication between all other VLANs to the 8th VLAN.
Static routing for traffic to the servers or any other VLANs can be configured in Server Farm Switches VRF pointing to Firewall blades DMZ interface, and this static route must be redistribute into the MP-BGP so all 8th VLANs know how to reach all servers and any other VLANs. We should do the same trick for global network so all other VLANs know how to reach the 8th VLAN through the Firewall blade Outside interface.
Step 7: Network Ready For Use testing
It’s time to verify our setup. We should test the connectivity with step-by-step approach: verify the IGP for global routing, verify MPLS LDP in all MPLS-enabled devices, check the PE-CE connectivity, test the connection between 8th VLAN in different Access Switches but still connected to the same Distribution Switches, verify the VPNv4 routes, and test connectivity between 8th VLAN in different Distribution Switches, and connectivity to the Firewall blade and Server Farms Switches.
The last verification, check the ACL on Firewall blades to make sure 8th VLAN can connect to the servers but not to any other VLANs in global network, and selected users from any other VLANs are allowed to communicate to the 8th VLAN through the Firewalls.
As you can see, one of the benefit of using MPLS Layer 3 VPN instead of distributed ACL on each Distribution Switch is to cut the administration overhead to maintain the network. We can have a single infrastructure to provide different isolated users group or network on top of it, and the policy to control the communication between different users group can be centralized using Firewall Blade.
I’m using MPLS VPN to segregate the 8th VLAN. One day I may come across the requirements to segregate all those 8 VLANs into 8 different isolated networks, and allow the communication between each other only through centralized Firewall. That will be the day I would say Thank You, Once Again to all the guys who invented MPLS Layer 3 VPN.
Saturday, May 27, 2006
It’s coming. I knew it, and it’s coming.
When people talk about MPLS, they always associate it with Service Provider. By adding label to the packet between layer 2 and layer 3, MPLS can provide so many services such as Layer 3 VPN, Layer 2 VPN, Traffic Engineering and so on.
Why Enterprise customers need MPLS?
MPLS was invented originally to optimize and increase the switching performance by not doing Layer 3 lookup, but MPLS label lookup instead. Nowadays switching performance in network device has been increased and it is equal for either Layer 3 lookup or layer 2 lookup. So increasing the performance is not the answer we are looking for.
Okay, it’s really good to consolidate ATM backbone and Frame-Relay backbone into single IP infrastructure with Layer 2 VPN. But which Enterprise customer maintains the physical layer for its backbone? And forget about Traffic Engineering for time being.
The most applicable MPLS service for Enterprise is: Layer 3 VPN. But wait, why in single Enterprise network you need to run MPLS L3 VPN?
Well, the answer is obvious if you have any third party vendors or consultants working in several places in your network. You want them to use your network transparently: they can connect to each other but they can’t see your infrastructure. MPLS L3 VPN is the answer.
Now I want to push it even further. I have one project to build big campus network, with core, distribution, and access switches topology. And the users are divided into several departments. The policy from my customer: within one department, regardless of the physical location, users should be able to connect to each other. But they should not be able to connect to any other departments. And all of them share the same data center, and share the same Internet connection.
I have two options for this: put Access Control List (ACL) in any distribution switches or the gateways. This is the most common option that any Network Engineers would choose. The second option is to have VPN within each department so they will not be able to communicate to each other. VPN can be provided with normal GRE tunnel, IPSec, and.. MPLS.
Compare to the other two, MPLS configuration is easier and more fit to address the above requirement.
The MPLS cloud will start from distribution switches. So at minimum, distribution should run hardware that can support MPLS. From Cisco this can be Catalyst 6500 series with Supervisor 720-3B. We can terminate each VPN into the firewall, one VRF for one VLAN connected to the firewall. With this way, we can have all the MPLS VPN connected to firewall as DMZ. Later on, if it’s required to provide specific access between VPN, all the connection can be inspected and filtered through the firewall.
Things get interesting if you want to extend MPLS to the access switches. Cisco encourages to have Routing terminated into the access nowadays, to eliminate the requirement of Spanning-Tree Protocol and HSRP. If we can run routing in access switches, the gateway for all users will be the access switch itself. No STP and HSRP required. And to extend MPLS to the access, we need to have VRF-Lite feature to bind each user VLAN to dedicated uplink to Distribution switches. In distribution switches, each uplink from access switch will be placed into designated VRF.
So it’s coming, everyone. MPLS is already here, and it’s inevitable.
All Enterprise customers hear me now: MPLS time has come.
Saturday, May 20, 2006
From the past couple of months I have been involved in 4 major projects in my company. Some of them are the largest that we have ever dealt with. This promotes my company as the hottest Cisco partner in the country, and we do the hottest project in town together with Cisco directly. And how about my roles? From technical project manager, lead engineer, designer, consultant, implementation supervisor, to logistic manager. Working starts from pre-implementation until training and project hand-over.
I’m under pressure.
All the projects have similar time frame. All of them started from last month, and 2 will start the installation during this summer, while the other 2 will be still in design process.
Meeting, meeting, meeting. Design workshop. Presentation. High Level and Low Level Design. Implementation Plan. Network Ready for Use. Site Readiness. Material Delivery. Staging. Material inspection. Site survey. Testing procedure. Documentation.
So many things to do, so less time to have.
Four different customers from airport, shopping mall, residential and university. Different technology on each place. From MPLS Layer 3 VPN, very high availability design, 10 Gigabit to the edges, triple play with Multicast and QOS, OSPF multi area, Wireless network with LWAPP and layer 3 roaming, IP Telephony, Firewall and Intrusion Prevention System, up to network management. Different design and customer requirements. Different expectations. Different rules.
I’m choked. I’m choked, to the limit.
I can’t breath. All the workloads. All the responsibilities.
It’s hell a lot of fun, but it’s not worth it anymore.
Keep working days and nights, even during the weekends.
No complaints, until I started getting phone calls from my daughter:
“Daddy, where are you? I want to have my dinner with you.”
I’m choked. And I believe it’s not worth it.
Especially since I still haven’t got my respect.
I need to do something about it.
Friday, May 05, 2006
I knew it since beginning that the 3rd option would not be easy. It is the red pill that Neo had to take in order to know what the meaning of The Matrix is. Well, it may not be that hard, but it is still not a straight trough highway where I can see the end of the road. Again, the power of uncertainty is something that can really make our life so dynamic, and so painful at the same time.
Anyway, when I sold my car last week and started driving a rental Toyota Corolla, my friend told me that I would lose something that he called BMW Respect.
What the heck is that? It is a respect that other car owners give you in the street, he replied. Everytime you try to change your lane with you BMW or any expensive cars, people tend to give you more room.
That’s silly, I though, there is no such thing.
So here I was, driving my Toyota happily in one of Dubai busy streets. Okay, I was in the slow lane and I wanted to increase my speed. It was time for me to change my lane.
What the…???!!! This guy almost hit my car! He didn’t reduce his speed at all to give me some room to enter the lane.
What’s your problem, dude? Maniac.
I started thinking about my friend’s respect. Nah, it’s just a coincidence. There’s always speedy maniac everywhere.
I kept trying to convince myself until I got the same experience over and over again. Everytime I tried to change the lane, I really had to fight for it. I never faced this issue with my previous car.
What’s wrong with Toyota, guys?
So that kind of respect really exists?
In another day, I went to one store in shopping mall to buy something. I noticed that I was left alone for quite some time, none of the store attendants tried to approach me to ask what I want or offer me services.
Were all of them busy? Not really. That guy was standing in the corner and did nothing other than watching the whole store. What? There was a couple who wore decent clothes and the guy went to them with a big smile and offered his favor.
Okay, I was wearing only normal shirt and jeans. But does it mean I’m not a potential buyer? In fact I was ready to spend my money but the story ended up by me walking out the store due to the way its employee treated me.
My thought about this respect started bugging me. Yesterday I drove my car to my office which is located in one of five star hotels in Sheik Zayed Road, Dubai’s main road.
Normally everytime I drive through the hotel atrium with my BMW, there’s always one hotel officer who offers me valet parking.
Hey, what happens today? Where’s the valet parking guy?
With my company policy I can’t use hotel valet service anyway, but it’s still good to see at least those guys try to show me some respect.
Wait. Did I say respect?
So is my friend definition about respect really true?
Why does such standard exist?
So people must drive expensive car to get respect?
So people must wear decent clothing to get service?
Suddenly I feel vulnerable. I feel insecure.
Not because of my Toyota looks like made from the cheap material just like normal Coke can and it makes me feel really insecure if I ever get into even a small accident.
I feel vulnerable about my life. About the way some people treat other people with their own definition of respect.
I feel insecure about my job.
Is this the reason why even I have been with my current company for 4 years now and never get any raise? Even I believe I have delivered some of my company largest project successfully but as a person I'm still not within the standard to get my respect?
And is this the reason why I still can’t join Cisco ME until now?
No way. Cisco Systems is an Equal Opportunity Employer. At least that’s what written in the website.
And isn’t it clear from the last Gulf partner summit that they would not hire people from partner? But wait. Isn’t one of my CCIE colleagues who used to work with my company joining Cisco recently?
Is it because he has more experience and expertise than me or because some other reasons?
Another hopeless thought.
I just want to work in a place where people respect me only because of my expertise and performance in delivering the job.
And nothing else.
Please let me know if such place exists.
Monday, April 17, 2006
Samer Alkharrat, General Manager for Gulf and Pakistan mentioned: “Yes, Middle East is one of the Emerging Market with 60% business growth. And for sure Cisco Systems Middle East is expanding. We need to hire more than 30 people in the next several months. But let me makes it clear: We will not touch you all from our partners. We will not hire anyone who works in our partners”
The mood of some people inside the room changed dramatically.
I was one of those hopeless crowds. One of the bunches of people who used to think that if we serve Cisco well, than one day we will get our rewards and be able to work for Cisco directly.
So Cisco Middle East is hiring 30 guys within several months, and all of those cannot be from the partners? Yeah, right. Then from where will Cisco get them?
Sam then continued: “but you have to take care of your employees. It really hurts us every time we see the best people from our partners move to our competitors like Huawei or Juniper”
That’s exactly my point.
Unless Cisco wants to see Double CCIE or even Triple CCIE to join its competitor, they should not have this kind of policy at all!
What will be the future for all Cisco engineers who work in partners like me then?
I may not like to go to the competitor, but where should I go?
So it looks like I’m stuck with my 3-options. Or am I?
What if I try to get more options? It may not solve my problems but at least it will make me happier, perhaps.
Starting from last night, I put back my CV in monster.
I used to have my CV available there until I removed it last year because I was so busy with my CCIE security preparation. I didn't have time for searching a job.
Now it is time to announce my existence to the world.
Let’s wait and see.
Monday, April 10, 2006
Option 1 – Keep the status quo
Stay with current job as both Consultant and Senior Engineer, it means still dealing with all Cisco stuff, may get into several interesting MPLS and VPLS projects that will come up, but no proper job description, do both configuration and consulting
Pros: still keep up with my main interest: Cisco console!
Cons: field engineer job, may do physical work like mounting etc
Option 2 – Same shit, different style
Stay with the same company, but move to sales department as pure pre-sales consultant, stay away from the console, white collar job, get more respect by selling more
Pros: try to do something different, gain more respect
Cons: may get blame when losing project, work for the same company
Option 3 – Uncle Sam, here I come
Move to US, get H1b visa trough some agency company, most probably will be located in San Jose, may be able to work with even Juniper or Cisco, but get only 60% paid from current wages, need to separate from family for first couple of months
Pros: dream comes true, even far from perfect
Cons: lose hell lots of money, need to start from ground zero again, separate from family
So what would it be? Option 1, option 2 or option 3?
Option 1 is the easiest to pass my time while collecting money, and I have already had reputation on this field.
Option 2, will give me respect and proper job description. I still have yet to show my skill as designer and help my company to sale more.
Option 3… hmm, let’s see. Lose money, go into completely new country, work through agency, separate from family, must build reputation from beginning, must compete with the best network guys on the planet, no certain future.
No certain future.
Everything really depends on my self.
It really depends on my performance over there.
I may reach the top of the world, or just end up as a loser.
And that uncertainty is the only thing that makes this option worth.
Choices, one thing that makes our life so dynamic.
And I believe I have already taken my option.
Friday, March 03, 2006
So, the call was from Cisco’s younger brother :) . Okay, I’m not sure how was my performance during the interview, but that 45-minutes phone call really taught me one important lesson: I’m still very far from an expert level.
I have 2 CCIE. And ‘E’ stands for Expert. So I’m 2 times expert. Yeah, rite. Having CCIE, even multiple CCIE, doesn’t mean we are an expert. It only means: we have passed the goddamn hard 8-hours exam. It means we are self-motivated, hard worker, well-driven, eager to learn and bla bla bla, but not necessary an expert.
As always, everything happens for a reason. Regardless whether we do well or bad, the most important thing is to learn from our past. So I tried to evaluate why someone who has years of experience and multiple CCIE like me, still can get confused with some basic question. And following are my findings:
- I keep jumping from one topic to another topic
My job nature forces me to always work on different technology from time to time. Last week I might dealing with Wireless, yesterday was IPSec, today is for QOS, and tomorrow will be for VPLS. Doing all this stuff within short timeframe is good to become a consultant, but it won’t give enough time to dig into the detail on each technology. So broader knowledge, but lesser detail.
- I’m a system integrator, a solution implementer
I have to deploy solution that fits with customer requirements. Sometime it requires me to integrate multiple systems from different vendor. But the main idea is: to have a working solution. If we have to bundle multiple products into a single infrastructure, our main concern will not on the bit and bytes of the traffic. It will be on higher level. Knowing the OSPF LSA header will not help, but knowing the best practice to deploy OSPF with multiple areas obviously is required.
- No project has ever challenged me enough
Well, this is back to my 2 Law. If there is not any projects that complex enough and require lots of testing, than it’s difficult to force us down into very detail. If the mindset is only to make it works, than we won’t bother to search for more information. Delivering project means there is a timeframe, there is a target date to achieve. I can’t tell the customer that the project has not finished yet because I'm still curious and investigating the layer 2 header mapping in VPLS. Project management is so complicated and sometime there is political issue involved, so it provides no slot left to have fun in the devices.
Personally I believe there are several levels of engineer: one who can deploy, one who can troubleshoot, one who can design a solution and one who designs the system. The first one is the most common. To configure a device, even multiple devices, sometime is no-brainer. Just read the manual and try to find sample configuration from vendor’s website, and it’s done. To be able to troubleshoot, one needs to know in more detail. We can’t troubleshoot if we don’t know how it works. CCIE can make us reach this level. It can make anyone who passes to design solution as well. But it won’t teach how to design a system or device.
By designing the system I mean these are the guys behind the device architecture. Who define why and how the device will be developed. They are not necessary the developer. But obviously they are the ones who decide which features need to be added or removed. They are the ones who think about what need to be done in the next product release. They are the ones who test the new products, simulate real-life scenarios and verify the result, and provide critical feedback to developers. Read the RFC and follow the standard to guarantee inter-operability with other vendors, and sometime involve in making the Internet draft to become a new RFC.
They define the future of the product.
Most of the time, the future of the technology.
This post is for all system designers and testing engineers out there.
I respect all of you guys. And becoming one like you, most probably is my ultimate goal.
Tuesday, February 28, 2006
One guy saw my Metro Ethernet score report this morning and asked me the question: why I keep doing this CCIE stuff. Why I keep taking CCIE lab even there are lots of misery during the journey: losing social life, bunch of money, and all the excitements in the world only for one damn 8-hours exam.
Well, my answer is simple:
- Because it’s fun
- Because last year, when I was still only a CCIE, I tried to apply to Advance Services Team in Cisco Middle East and I got rejected because I was not “qualified enough”
- Because I want to learn new stuff and CCIE is the only thing that can accommodate me
I have invented something that I called 2 Law of Desperate Workers:
Law 1: To get a better job, you need to have good experience and build good working experience profile
Law 2: In order to get good experience and build good working experience profile, you need to work in a better job
So far I use CCIE to solve the 2 Law issue. Well, it won’t give me large scale deployment experience, but at least it’s close enough to make me able to design, setup and troubleshoot complex technology in much smaller scale. So to learn MPLS in deep detail, CCIE Service Provider is the answer.
But the scariest question for me now is: how if I become triple CCIE later this year and still can’t get a better job? What kind of excitement that I can get other than working on fancy features in Cisco boxes? Doing another CCIE by my own is getting harder, because the other 2 tracks left are Voice and Storage. With my current situation, it’s almost impossible to build those 2 labs at home. It’s just too expensive. And until now I’m not interested enough to take that path.
So hear me you guys in Cisco Systems, please accept my message, Mr. Chambers: I’m willing to work in Cisco Systems Advance Services Team in any location in the world.
Why Advance Services?
Because I know people in Advance Service dealing with analysis and diagnosis of highly complex networking problems and complex network designs, up to builds simulated networks in test labs to resolve highly complex problems and compatibility issues. It’s a very challenging job and it gives me a chance to help all Cisco customers directly just like what I have been doing with my current company, with larger scale. And of course, with @cisco.com behind my name.
Everything I know related to networking I learned it from Cisco. My bookshelf is full of Ciscopress books. Everytime I want to know about new networking technology, I always refer to Cisco website first. I use Cisco certification to advance my career. I read Cisco books to get clear explanation of RFC. So working for Cisco directly, is just like going home to me.
Why anywhere in the world?
Well, if I had privilege to choose than I wouldn’t write this in my blog and expect someone from Cisco to read it, right?
So until I get the offer from the “better place”, I will keep myself busy in CCIE Service Provider track. I will try to borrow some 7200 routers so I can test EoMPLS Martini and Interworking, several new magical things in networking world. At least for me.
Who knows what will happen after I pass my third CCIE. But at least let me enjoy every second of this journey.
And btw, if you are reading this and know some opportunities and you think it may makes me happy, please let me know. Thanks.
Monday, February 27, 2006
Following is the material I used to study:
Halabi’s Metro Ethernet book
Layer 2 VPN Architecture by Wei Luo etc
Re-read Ivan’s MPLS VPN book
This is not required, but I read some chapters from Osborne’s Traffic Engineering (TE chapter from Halabi book is enough for the exam)
And definetely my favorite resource: Networkers Online presentation. I love the L2VPN troubleshooting session with Dmitry Bokotey.
For me, passing CCIE written doesn’t mean anything except makes me eligible to register for the lab. I have mentioned in one of the points in How to Become CCIE: studying written won’t help much in real lab. The reason is because the coverage in written exam is different with the lab.
Metro Ethernet exam focuses on Layer 2 VPN, while the lab focuses on MPLS VPN, MP BGP, TE, multicast, QOS and Security in Service Provider environment, and normal routing switching stuff.
According to Tong Ma, CCIE SP lab proctor in San Jose, and Vincent Zhou, the CCIE SP Program manager, there is no lab in the world that has 7200 routers to test Layer 2 VPN. IOS 12.0 S is required to deploy L2VPN and this code can run only on 7000 series router and higher. So it’s coming, they said, but until all the lab hardware has been upgraded, L2VPN won’t be tested.
I’m planning to become Triple CCIE when I’m still 30.
So it means I have only 10 months left.
It's time to get dirty again.
Friday, February 10, 2006
By Himawan Nugroho, CCIE #8171 (R&S, Security)
Two weeks ago I passed my CCIE Security lab. It was my 2nd attempt in Brussels. I passed my CCIE Routing & Switching lab 5 years ago in Tokyo on 2nd attempt too. I become double CCIE in R&S and Security without taking any trainings or bootcamp. Only with self-study, countless hours in my home lab, and lots of Starbucks Mocca Frappucino.
Based on my experience taking 4 lab attempts, I try to write down the summary how I did it. This how-to is specific to CCIE Security lab, but the general idea can be applied to any CCIE tracks.
Scott Morris, Quad CCIE, wrote the article 'So You Want To Be a CCIE?' and it's really worth reading. Yusuf Bhaiji, CCIE Security lab program manager and the author of CCIE Security Practice Labs wrote 'Insider's Tips on Earning Your CCIE in Security' in Packet Magazine August 2004 page 18.
I'm not trying to compete with them. They are the masters. I'm just another guy who has just passed CCIE lab recently and willing to share his way.
So here it is, my version of Cracking CCIE Lab:
1. Start with the self-assessment
Are you sure you want to do CCIE? As you may already heard: yes, CCIE is difficult, very rare people can pass in 1st attempt. Yes, CCIE is expensive, only the exam fee is $1250 and you still need to spend money to build home lab, buy books and workbooks and other resources. And yes, you certainly will not have your social life during the journey.
But if you really want to do it, if you really want to distinguish yourself and stand out from the crowd, I suggest you to do self-assessment as the first step.
Read CCIE lab blueprint. For Security lab, it's on here.
CCIE blueprint will tell you the coverage of the lab and areas you need to focus on during your study. Then ask your self: are you familiar with those technology listed in the blueprint? If you have 4-5 years experience working in Cisco partner deploying Cisco security solutions on the field, you should know at least 60 to 70% of the blueprint easily. Then you just need to study for the rest 30%.
But even you don't have much experience and feel completely lost reading the blueprint, CCIE lab is still achievable. Continue reading.
2. Use other certification as steeping stone
This is optional if you think you need some help for your study. Cisco has created certification career from basic, medium to expert level, which is CCIE.
Read the complete information here.
For CCIE Routing & Switching, CCNP can help you to learn routing, switching, Remote Access technology and troubleshooting skill.
For CCIE Security, you must learn Cisco security technology and you still need to deal with some Routing and Switching because the network in your lab must be built first before you can secure it.
So to learn Firewall, VPN, IDS and Router security at a time, you can use CCSP certification.
And to learn Routing, I recommend to take CCIP.
Why CCIP? Because in CCIP, you will learn about IGP Routing and BGP in advance. And you will learn Quality of Service. QOS is important because there are lots of attack mitigation techniques can be done using QOS. For example, instead of dropping ICMP flood traffic we can just limit the bandwidth, so we still can have legitimate ICMP traffic.
The MPLS exam is not important so you can either skip it or just take it and become CCIP.
Most of the switching part in Security lab is pre-configured. So you can just start by learning the security technology in Cisco 3550 switch. That should be enough for switching part. And this is one of the reasons why I don't recommend CCNP for CCIE Security lab but CCIP instead.
Taking those certifications give you benefit to learn specific technology at a time and even you are not a CCIE yet, at least you will achieve CCSP and CCIP. Something is better than nothing.
3. Build your home lab
I believe having a home lab is compulsory. You can always rent a rack but you will have a fix schedule with them. With home lab you are the one who controls the schedule. And you can always try in your home lab directly every time you read something interesting or you just want to test the option in some IOS commands.
If you have tight budget, at least you should have few routers at home.
My recommendation for minimum home lab: 5 routers and 1 switch.
The cheapest routers that you still can use for CCIE lab is 2610 series.
They can run IOS Firewall natively and if it's required you can boot Enterprise software for 2600 XM series with this trick.
You can find Cisco 2610 with less than $200 on eBay.
Don't go to 2611 or 2620 since they only offer more interfaces or Fast Ethernet but they still run exactly the same software with 2610. You don't need Fast Ethernet for sure and you can always create trunk to have multiple interfaces.
Buy 1 Cisco 2522 or 2523 as Frame-relay switch. Obviously you need WIC-1T modules and V35 back-to-back cables. Cisco 3550 switch, the one currently in CCIE Lab, is expensive so you can replace it with 2950 model. Cisco 2950 can't run routing and all enhance Layer 3 features, but you still can test those with rental lab.
For Security lab, you must have a PIX firewall. Either the smallest series, 506E, or franken PIX.
With 506E you have only 2 interfaces but again, you can make them as trunk to have multiple interfaces.
If you have option to buy either VPN concentrator or IDS, get the VPN.
Or you can rent a rack for several hours only to practice both of them.
So, with 4 Cisco 2610 routers, 1 Cisco 2522 FR switch, 1 Cisco 2950 (without Giga ports), 1 PIX 506E, and several WIC-1T modules and back-to-back cables, your home lab should not cost you more than $2000. And all of these can be sold once you pass.
You still need to spend some money to rent a rack, at least to practice VPN, IDS and 3550 features.
4. Passing written exam doesn't mean anything
Based on my experience so far, I found out that studying written exam can't help you much in the lab. Most of the time the material covered in written exam is completely different with the lab.
So until Cisco makes the written exam more related to the lab, I suggest to just pass it, even if you have to cram the material or use some practice test.
My suggestion is to read the written exam book just like CCIE Security Exam Certification Guide and then practice the questions using product like from boson.
With one note: don't trust the answer from any practice test vendor. Find out the answer by yourself from CCO or Internet and this will accelerated your study. This kind of attitude will help you in the lab later on.
Passing CCIE written doesn't mean you are a half-CCIE. For me, it doesn't mean anything in fact. It's only a pre-requisite exam that you must take before you can register for the lab.
Nothing to be proud of even if you score 100 in written. Last time I took the exam the passing score is only 70. Get 71 to pass and register for your lab. That's what matters.
5. Read a lot
No single source can make you pass CCIE lab. You really need to read a lot from different resources: Cisco website, RFCs, Networkers, Ciscopress books, study forum, CCIE workbooks and any related links on the Internet.
Following is the list of resource I used during my CCIE Security study:
1. Cisco configuration example and TechNotes
2. Cisco technology support
3. Cisco documentation CD (univercd), which is basically the same with product configuration guide
4. Networkers Online presentation, it costs me 200 bucks but provides complete Networkers 2005 presentation in Las Vegas with sound and slide
5. IETF RFC
6. Ciscopress CCIE Security Exam Certification Guide - H. Benyamin
7. Ciscopress Network Security Principles and Practices - Sadat Malik
8. Ciscopress Cisco ASA and PIX Firewall Handbook - Hucaby
9. Ciscopress Cisco Router Firewall Security - Richard Deal
10. Ciscopress CCIE Security Practice Labs - Yusuf Bhaiji
11. CCIE Security Workbook from Trinetnt
I have other CCIE Security workbooks from IP Expert, Internetwork Expert, 6colabs, Hello Computers, and CCBootcamp.
But during the last 4 months before my exam, I had been focusing only with Trinetnt. As per date, they are the most decent workbook and they cover almost everything in CCIE blueprint.
12. CCIE Lab forum: SecurityIE and trinet forum
Just FYI, I have already passed CCSP, CCIP and I have more than 5 years experience with various Cisco security products before I started my CCIE Security journey.
6. Build your speed
Okay, now it's time to practice and try all the technology listed in CCIE blueprint in your lab. Start slowly. Learn single topic at a time. Try to really understand all possibilities in one technology before move to different topic.
This is where the CCIE workbooks can really help. Good workbook like the one from Trinet provides minilabs to focus on single topic at a time.
I recommend to start slowly because studying CCIE sometime can be really frustrating. Especially when you stuck with one thing and don't know where to find the answer. That's why I against the idea to jump directly to complex lab scenarios. Single step at a time.
Once you get used with the lab flow, try to increase your speed.
Practice, practice, practice.
You need to be fast in the real lab. And there is no other way other than practice.
Keep repeating the same thing until your fingers, not only your brain, memorize how to configure any security technology listed in blueprint.
I use only the best workbooks to practice: Trinet and Bhaiji's book.
I found out if you can complete 1 Trinet superlabs with less than 3 hours time, than your speed should be fine for real lab.
Obviously when you practice with any workbooks, you must understand why and when you should configure with certain way.
7. Join the community
You can't win this battle by fighting alone. Join the community to meet other CCIE candidates and study together. I found SecurityIE forum is really helpful. There are a lot of security experts in that forum and the discussion is really depth. The forum archive is priceless.
Trinet forum was active when it was started. I was involved from beginning so I enjoyed my time discussing directly with Khawar Butt, the founder. I can see now there is very less response from Khawar anymore in that forum. But I believe you still can discuss with other CCIE candidates. And try to dig the archive to see whether things you are looking for have been discussed in the past.
If possible, try to create small discussion group. I met some wonderful people from those forum and we decided to study together. It's always good to have somebody else to verify your weak points.
During my journey, I was really happy just to know that there are several people out there that I can discuss with every time I stuck in my lab at 3 am in the morning.
8. Learn how to ask
Make sure you know how to ask questions, to the study forum and during the real lab. Before you send something to the forum, please make sure to check the archive. Try to test it by yourself in your lab, and when you get stuck, copy the related configuration with show and debug output and send it to forum.
With this way, we can build a healthy discussion and most probably you will get positive answers.
This attitude is important when sitting in the real lab too. During my 2nd attempt, my proctor mentioned something like: “if you have any questions you can ask me, but most probably I will not answer”
So you need to know how to ask question to your proctor. Otherwise he will throw his pity look to you and say: I'm sorry I can't answer that.
I believe if you know all the technology listed in the blueprint, and you already have this attitude, you should be able to ask smart question to the lab proctor. They are there to clarify the lab questions, and that's the only thing you should try to get from them: clarification.
By asking the right question for sure.
9. Understand the Lab questions
Speed is critical, but you need to know how to answer too. So when you think you already have the speed, you need to dig each topic in more detail. There is no other way other than try any possible scenarios and read more to understand all technology in-depth. Check all the options from each IOS command, test it, run the debug, compare the result, then move to different technology and do the same thing.
During the real exam, don't overlook and make assumption. Read the question carefully. And if you don't understand something, you can ask clarification from the proctor.
Yusuf mentioned in his book that most candidates fail not because they don't understand the technology, but because lack of understanding the question. Make sure you read his book several times to make sure you understand what he expects from the answer.
10. Trust no one, trust no solution
You should not trust any of your resources until you prove it by yourself.
This is the only attitude that can make you pass.
I found a lot of mistakes in Cisco sample configuration and workbook solution. Even Bhaiji's book contains several errors. Study forum is good because people try to test something together. But are you sure the solution posted really works?
Why you have to bet, just try it by yourself in your lab.
Every time you see some scenarios and the answers, always ask the questions: What if? Why not using this? How if I modify that?
I like Trinet because the workbook provides general idea of the real lab and makes me really fast. But I don't just believe their solution. I always tried to answer their scenarios with my own way, and then modified the scenarios, put more requirements and restrictions.
I often ended up with my own scenarios, which are much more difficult from the original.
11. It's all in your mind
CCIE is completely a mind game. I failed 4 years ago in my 1st CCIE R&S attempt in Brussels because no one told me at that time how difficult CCIE lab was. Everyone I know always told me that the CCIE lab is so difficult that only few selected people who can pass it. And I'm certainly not one of them.
I went to my 1st attempt with this feeling, that I was not ready and CCIE questions would always be one step ahead me. It was 2 days exam and I was able to reach troubleshooting section on 2nd day. But I failed with 5 mark away from the passing grade. I felt terrible but I realized one thing: CCIE lab is achievable. If you have spent a lot of time to prepare, then it's even possible to pass on your 1st attempt.
For my 2nd attempt in Tokyo 1 month later, I woke up in the morning and told myself in front of the mirror that I would become CCIE that day.
CCIE lab is an exam and the proctors are "only human". I kept telling myself: there is no spoon.
I was able to keep my sense of humor even in Japan I had to use Japanese version of Windows and keyboard.
One and half hour before the troubleshooting section over, I have already walked out Cisco office with my CCIE number.
Indeed I failed in my 1st Security lab attempt last December. But I failed at that time because I was so confident and overlook several things. I was really sure that I would pass that day and made me forget one basic rule in CCIE lab: this is Cisco exam. They make the lab and they expect me to answer as per their solution.
12. The journey must be fun
In the end, CCIE lab is only an exam. Even it's Goddamn hard to pass but this journey must be fun. Turn all the pressure as a power.
Use any supports around you: your family, friends, working environment.
Manage your time so even you will not have social life at all but at least you should enjoy it.
And If you fail, do the classic: learn from your mistakes.
Try to know exactly what your mistake is and address it once you go back home.
Never think to stop in the middle, no matter how many times you fail.
I always believe that there are 2 kinds of CCIE candidates out there: one who always makes excuses why they should not do it again and quit, and one who just jumps back into their lab and start debugging their mistake.
The second one will pass eventually and join the elite club of experts. The first one will join the club of losers.
Which one do you want to end up? The choice is yours.