Lowering your MTU solves weird problems


What do I mean by ”weird problems”? Some websites don’t load fully, you can access network shares but cannot actually open the files, your teamviewer sessions are suddenly disconnected etc. Mind you, lowering MTU on endhosts is not really a good solution because then you need to do it on all your endhosts. Typically, you will lower the MTU on your router, but what if you cannot access your router or the router doesn’t have the option to change the MTU size?

You typically have this problem when on a PPPoE connection, if MTU on the router is set to 1500 instead of 1492. However, it seems that UPC customers have this problem and lowering the MTU on the machines helps, too, because it makes more space for any headers and administrative overhead that is necessary to make protocols work.

Now why does lowering the MTU size help? Because endhosts can fragment a large segment of data better than intermediary routers. Some routers will just do a bad job of fragmenting/assembling the packet. But if the endhost sends packets that are small enough not to be fragmented anywhere on the path from host A to host B, nobody needs to do any fragmentation at all.




Sponsored Post Learn from the experts: Create a successful blog with our brand new courseThe WordPress.com Blog

Are you new to blogging, and do you want step-by-step guidance on how to publish and grow your blog? Learn more about our new Blogging for Beginners course and get 50% off through December 10th.

WordPress.com is excited to announce our newest offering: a course just for beginning bloggers where you’ll learn everything you need to know about blogging from the most trusted experts in the industry. We have helped millions of blogs get up and running, we know what works, and we want you to to know everything we know. This course provides all the fundamental skills and inspiration you need to get your blog started, an interactive community forum, and content updated annually.

Can’t apply ACL on nexus 7000?

Unbelievably, there is a bug on Nexus 7000 that can prevent you from applying any ACLs to the interface. The result is that the following command gives TCAM allocation failures.

ip access-group MYACL in


The solution is to use the following command:

hardware access-list resource feature bank-mapping


I was quite proud of the fact that I found the solution in 20 minutes.


Troubleshooting VPN S2S takes patience


I’ve found a number of times that if you have a crypto map that is applied to an interface, changes made to the transform-set that is applied to this interface are not applied instantaneously. So e.g. you have this crypto map:

crypto map MYMAP ipsec-isakmp 10

set peer

set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600

set transform-set MYSET
set pfs group5

Now if you change MYSET, your router may still send out the old MYSET. Solution no1:

  • be patient, wait 15 minutes
  • clear the crypto map, apply it again
  • shut and unshut the interface

So if you’re troubleshooting a broken S2S VPN, make one change, wait 15 minutes, check, if it’s still not working only THEN make another change.

Today I spent 80 minutes in a troubleshooting session with an engineer from the remote end trying one thing after another and nothing worked. We ended the session and set up another one for the next day. I  reverted the config to the original settings + made 1 change that should be ok (but it still wasn’t ok! ), went shopping, came back, and it just worked!


I love the ARCH 300-320 book.

Reading through the new CCDP book, I came across an interesting fact. Turning off trunk mode negotiaion (switchport mode trunk) and DTP (switchport nonegotiate) can reduce the link transition time by 2 seconds!

Further, it is good to put your most important vlans as low-number vlans, because they are first to come up. This can save probably miliseconds rather than seconds but it’s still a timesaver.

CCDP preparation status and what’s coming up in 2017

I still have about 2 months to prepare for CCDP and everything is going as per plan. I’m about 2/3 into the CCIE R&S course ( partly to revise for CCDP, partly to prepare for CCIE R&S written), I’ve started reading the CCDP official guide. I may revisit the cbtnuggets CCDP course, too, because Jeremy has added some new units after the CCDP exam changed. If I still  have time, I may read some CVDs (Cisco Validated Designs), but I don’t want to actually overprepare because 60-90 minutes a day is the absolute maximum I can do these days without getting fed up with my learning/life ratio.

Now the end of 2016 is drawing near so here’s a short summary:

  • I’ve passed 5 exams (CCDA, JNCIS-ENT, SIMOS, SISAS, SITCS)
  • I’ve changed my job and it turned out to be a good move
  • I’ve found a partner for my business and in the last 4 months we’ve managed to push forward quite a bit (website, racks, leaflet design etc.), we’re in a discussion with a major IT player to be a technology partner for our courses
  • I’ve had some interesting experiences like the 4 week stay in Oslo to help their local network provider

All in all, a really good year!

And here’s a tentative schedule for 2017:

  • CCDP exam in late February (edit Feb 19: PASSED!!!)
  • first ad campaign starting in mid March
  • first network courses in mid April
  • e-learning platform launch in May/June
  • remote rack rental service launch in July
  • 2nd run of network courses in September
  • CCIE R&S written in October/November
  • first CCIE lab attempt in December/January 2018

I’m really excited about this plan because i’ve never had so much stuff happening both in my personal and work life. I guess that I’ll be over the moon if I can do 75%. Anything above will be a tremendous achievement.

Oh so you have CCNP (smirk, smirk)

I’ve had a handful of funny experiences lately with people  trying to ask me difficult questions so that I can prove that my CCNP was actually deserved.

Frankly, I don’t get it: where does that come from? I mean, it’s not like I put CCNP on my CV to show off, and even if I was showing off, isn’t your CV the right place where you can say what you’ve achieved?

So, yes – I’m proud of my CCNP, and no – it doesn’t make me an expert. I don’t think any certificate makes anyone an expert because it’s just a piece of paper. But boy is getting that piece of paper fun! To me, these exams are like checkpoints where you can measure how much time and effort it took to get to a certain level. I don’t print my certs and put them up on my wall, i don’t put them in my email footers, but why shouldn’t I put this stuff on my CV?

I will put my CCIE up on every wall in my apartment when I pass it, though. Just kidding. I won’t.

I might will.

I think I will.

Testing Rack 1 for the demo

Today I spent like whole day connecting rack 1. I made an absolute mess with the cabling because I was in a hurry but other than that the rack is ready. I had a bit of a setback with the LAN power strip because it failed right after I came back home so I’m gonna have to replace it before the demo on Thursday but it looks like I will be able to use the rack during the demo!

The next step is to set up VPN on the ASA firewall + install a PC that will serve as a monitoring station (logs, tftp, snmp, etc.).

The side effect of today’s work is that I have enough stuff for Rack3 – I bought some more routers in November and I unpacked them today.

The big plan is to start selling a rack rental service in January. It would be a pity to have a pile of equipment turned off 80% of the time.

How to learn and how we do it


What portals do I use to learn?

  • INE
  • CBT nuggets
  • Chris Bryant’s Bulldog courses at udemy.com
  • Skilsoft

It’s difficult to say which one I prefer, because it depends on the level you’re at. If you’re starting, get a subscription at cbtnuggets.com or get Chris Bryant’s course. If you’ve already passed CCNP, probably INE should be the logical next step. Skilsoft courses are a bit different in that there’s more theory and less practice but i’ve found that they can be more indepth in certain areas (e.g. security) than CBT’s equivalents, although INE will usually offer the most depth. CBT is a nice primer if you know nothing and you want to get a feel of what’s coming up.

Something to bear in mind is that before an actual exam you need to read Cisco documentation because a lot of topics don’t come up in any course, sometimes because Cisco didn’t actually specify a given topic in their exam blueprints, sometimes because the trainer didn’t think that the topic was important enough or quite the opposite – a topic could be too complex and they didn’t think that the exam would go into that much detail (SIMOS exam is the best example here where the exam is soooo much more comprehensive than what blueprint says).

Of course, lab up anything you’ve learnt because you will be amazed at how fast you forget stuff you don’t use. Commands are best learnt with your fingers, not with your eyes.


Lastly, don’t exaggerate with the pace. 1-2h of learning a day is probably the absolute maximum for people with some personal life. ”Speed runs” are good only for a short time, I guess. (divorce rates appear to be distinctly higher in CCIE holders)

CCDP exam countdown starts as official guide is already out on Safari!


As you might know, I’m a big fan of Safari. I’m now preparing for the revised CCDP exam so I was pleasantly surprised when I found the official guide on Safari – one month before the official release date! Nice!!!

I’m hoping to take the exam sometime in March. My plan is to go through the whole CCIE R&S material (which covers a lot of material from CCDP), read the CCDP book plus read as many Cisco validated designs as I can. CCDA was a bit of a challenge because it had some legacy technologies that Cisco should have buried a long time ago so maybe the revised CCDP will actually feature some real-life scenarios.  I’ve learnt not to be overly optimistic about the quality of Cisco exams (their NDAs should say ”don’t diss the quality of our exams publicly”) Sorry Cisco – I guess I still hold a grudge about that faulty routing lab you gave me in 2014.

DSL usernames and passwords for PPP in Telekom


I was connecting an 886 VA-J Cisco router do a DSL line in Germany the other day and I learnt some useful stuff:

  • if you do not use their Digitalisierungsbox as the modem, you need to get a TAE>RJ11 adapter. TAE end goes to the DSL cube with the cables that the technician installs in your wall, and the RJ11 goes to the VDSL port on your router.
  • it turned out that the syntax for dialer settings is a bit funny. So when they send you a piece of paper with some numbers (Anschlusskennung, T-online-nummer, Mitbenutzernummer, Kennwort), you are actually supposed to use them as follows:


So if Anschlusskennung is 11111111, Tonlinenummer is 222222222222 and Mitbenutzernummer is 0001, Kennwort is 3333333, your chap hostname should be:


And the whole config is as follows

interface ATM0
 no ip address
 load-interval 60
 no atm ilmi-keepalive
interface ATM0.7 point-to-point
 pvc 1/32 
  bridge-dot1q encap 7
  pppoe-client dial-pool-number 1

interface Dialer1
 ip address negotiated
 no ip directed-broadcast 
 encapsulation ppp 
 dialer pool 1 
 dialer-group 1 
 ppp authentication chap callin 
 ppp chap hostname 11111111222222222222#0001@t-online.de
 ppp chap password 333333


If you don’t get an ip address, turn the PPP debug on (debug PPP packet, debug PPP events) and put your thinking cap on, too 🙂