is an independent personal blog of Gabor Kis-Hegedus focusing on advanced, unusual or under-documented features of Cisco IOS, the software running on routers and switches produced by Cisco Systems.
September 12th, 2017 | Tags:

I remember how challenging was to achieve my CCIE cert, and how much time I spent to study broad topics on a deep level, specially in terms of Implementation and Troubleshooting. Ultimately I have used this experience to move forward to Design and Architect space.

Of course there is also part of the CCIE preparation to practice a lot of Vendor specific commands, but let’s face it, if one not working in OPs, those commands will fade away quickly, but the concepts not, and you can still apply all the stuff, you just need more time, and get some refresh. On the long road, for me CCIE was never about CLI, but used those commands to understand the theories.

I’m big fan of Network Automation & Open technologies and used Linux before, and scripted stuff before. I think generally getting dev skills (Python) has real value.Ultimately we don’t like the boring stuff, so we try to solve interesting problems using creative ways.

Network Automation and development shall be the de facto way of working in the future,and an important skill but getting a CCIE is more about a personal & technical challenge, which is useful, and will be useful in the future also – in my view, although I agree that the exam shall include some aspects of network automation, and shall be updated to be more realistic.

So ultimately I would put an AND logic, and not an OR logic between getting Expert Level Certification & Network Automation. As the top engineers of the future will be expert in networking concepts, and effective in engineering and delivery, and will support the business using agile methods.

December 22nd, 2014 | Tags:

This was a hard and productive year, so will be 2015. But that’s okay, because challenges moves one towards his/her goals.

Let’s stop for a moment now in the Holiday seasons and enjoy it!

With greetings of peace and prosperity, I’m wishing the very best for you during this special time. May you enjoy all the best now and throughout the coming year.


July 17th, 2014 | Tags:

On my #2 attempt, 5-6 days before the end of the V4 track, I passed my Routing & Switching CCIE lab Exam, and earn my number: #43897

I’m very very happy right now. This was a huge Mental and Technical challenge, and a very important step in my personal and professional development.  I already received my CCIE plaque.

Personally I think it’s very nice, built from high quality materials. Couldn’t resist to do some photoshopping on the photoMosolygó arc


What’s now? Well I already subscribed to Ivan Pepelnjak’s great webinars to study other technologies, and some real life design scenarios.

I’m planning to do a series of blog posts about the preparation, how I see it, but currently enjoying the summer.

However, if you are studying for the exam, check out the CCIE Mental Preparation LinkedIn group, where we are discussing about the Non-Technical part of the CCIE Journey.

March 23rd, 2014 | Tags:

First a quick update: I have 64 days, 8 hours and 3 minutes left until my #2 attempt. So everything goes according to the plan, and I’m happy, because I can allocate more than 50 hours / week nowadays for the preparation. But, there is an awful lot of things to do..

Today I discovered a small trick, which we can include in our *HUGE* CCIE Toolbox SET.

If you know a command, but, you don’t know the exact syntax (or parameter keywords), you can use either the command ref on the DocCD, or the show parser dump command. (The command is not available from 15.0(1)M, but it’s okay, we live in the 12.4T world).

Let’s try with my favorite command:

Rack1R3#show parser dump router | i 15.*bgp.*redist
15 bgp redistribute-internal

or another one:

Rack1R3#show parser dump interface | i 15.*pim.*nei
15 ip pim neighbor-filter
15 ip pim bidir-neighbor-filter

This feature can be very handy, if you write the config in notepad, and you don’t know the parameters exactly:

Rack1R3#show parser dump map-class | i 15.*frame.*
15 frame-relay mincir <1000-45000000>
15 frame-relay cir <1-45000000>
15 frame-relay bc <300-16000000>
15 frame-relay be <0-16000000>
15 frame-relay custom-queue-list <1-16>
15 frame-relay adaptive-shaping becn
15 frame-relay adaptive-shaping foresight
15 frame-relay adaptive-shaping interface-congestion
15 frame-relay traffic-rate <600-45000000> <0-45000000>
15 …

Check out this post also at the INE Blog.

February 13th, 2014 | Tags: , ,

I’m now revisiting the IOS Services as part of my CCIE study, so yesterday I discovered HSRP version 2. The default version is 1, and without the standby version 2 command, we can’t really see the new parameters using the “?”.

So, we have some exciting new features, as stated here:

  • In HSRP version 1, millisecond timer values are not advertised or learned. HSRP version 2 advertises and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases. – This means, we can archive sub sec. convergence:

003056: .Feb 13 09:58:24.623: HSRP: Fa0/0.146 Grp 1024 Hello  out Standby pri 110 vIP
003057: .Feb 13 09:58:24.815: HSRP: Fa0/0.146 Grp 1024 Hello  in Active  pri 200 vIP
003058: .Feb 13 09:58:25.427: HSRP: Fa0/0.146 Grp 1024 Hello  out Standby pri 110 vIP
003059: .Feb 13 09:58:25.607: HSRP: Fa0/0.146 Grp 1024 Hello  in Active  pri 200 vIP

  • In HSRP version 1, group numbers are restricted to the range from 0 to 255. HSRP version 2 expands the group number range from 0 to 4095. – I always wanted to map the VLAN IDs to the standby group IDs. Well, here we go.
  • HSRP version 2 provides improved management and troubleshooting. With HSRP version 1, you cannot use HSRP active hello messages to identify which physical router sent the message because the source MAC address is the HSRP virtual MAC address. The HSRP version 2 packet format includes a 6-byte identifier field that is used to uniquely identify the sender of the message. Typically, this field is populated with the interface MAC address.
  • The multicast address is used to send HSRP hello messages. This address can conflict with Cisco Group Management Protocol (CGMP) leave processing.
    There is also a cool feature regarding Router-on-the-stick implementations. With the HSRP follow feature we can configure groups to follow a master group. This sound great if you have a lot of sub interfaces on the upstream routers, operated in HA environment.
    An example configuration:

Rack1R6#srs FastEthernet
interface FastEthernet0/0
no ip address

interface FastEthernet0/0.67
encapsulation dot1Q 67
ip address
ntp multicast
standby version 2
standby 2048 ip
standby 2048 follow TEST
standby 2048 preempt

interface FastEthernet0/0.146
encapsulation dot1Q 146
ip address
standby version 2
standby 1024 ip
standby 1024 timers msec 800 3
standby 1024 priority 110
standby 1024 preempt
standby 1024 authentication md5 key-string CISCO123
standby 1024 name TEST


Rack1R6#sh standby fastEthernet 0/0.67 all
FastEthernet0/0.67 – Group 2048 (version 2)
  State is Active (following "TEST")
    4 state changes, last state change 00:13:02
  Virtual IP address is
  Active virtual MAC address is unknown
    Local virtual MAC address is 0000.0c9f.f800 (v2 default)
  MAC refresh 10 secs (next refresh 3.104 secs)
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 100 (default 100)
  Group name is "hsrp-Fa0/0.67-2048" (default)
  Following "TEST"

Rack1R6#sh standby brief
                     P indicates configured to preempt.
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0.146   1024 110 P Active  local 

December 4th, 2013 | Tags:

As we expected, today Cisco announced the new version of the CCIE R&S Exam. The good news, is that Cisco provides us the six-month notice, so the last date for testing is June 3, 2014.

Now is the time to Schedule your last v4 Lab ExamMosolygó arc

Those who would like to go directly for the v5, here is the new exam blueprint, and here is the new equipment list.

So what’s new in v5?

November 7th, 2013 | Tags: , ,

It’s awesome how easily you can reconstruct files from a dump ( wireshark / tcpdump / etc. ) file. We can use two methods.

Wireshark natively supports object extraction. This feature scans through HTTP streams in the currently open capture file or running capture and takes reassembled objects such as HTML documents, image files, executables and anything else that can be transferred over HTTP and lets you save them to disk.

Just go under File-> Export Objects –> HTTP, and save the files.


The feature also supports CIFS/SMB and DICOM data stream.

Another way is to use Tshark and foremost:

First extract the data from the capture file:

root@deepspace:/tmp# tshark -r test.pcap -T fields -e data -w test.raw

Use foremost to extract the files/data:

root@deepspace:/tmp# foremost -v -i test.raw

Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Thu Nov  7 12:11:13 2013
Invocation: foremost -v -i test.raw
Output directory: /tmp/output
Configuration file: /etc/foremost.conf
Processing: test.raw
File: test.raw
Start: Thu Nov  7 12:11:13 2013
Length: 1 MB (1948323 bytes)
Num      Name (bs=512)         Size      File Offset     Comment

0:      00000175.jpg           4 KB           89809     
1:      00003495.jpg           3 KB         1789881     
2:      00000165.gif           42 B           84784       (1 x 1)
3:      00000352.gif           42 B          180499       (1 x 1)
4:      00000367.gif           42 B          188271       (1 x 1)
5:      00003026.gif           4 KB         1549677       (336 x 39)
6:      00003248.gif           35 B         1663451       (1 x 1)
7:      00003252.gif           35 B         1665185       (1 x 1)
8:      00003257.gif           35 B         1668021       (1 x 1)
9:      00003423.gif           42 B         1752940       (1 x 1)
10:     00003440.gif           42 B         1761706       (1 x 1)
11:     00000003.htm          44 KB            1847     
12:     00000112.htm          22 KB           57821     
13:     00000212.htm          40 KB          108754     
14:     00000297.htm          21 KB          152265     
15:     00000374.htm         190 KB          191511     
16:     00003250.htm           64 B         1664225     
17:     00003444.htm          314 B         1763629     
18:     00000109.png          886 B           56122       (111 x 26)
19:     00000780.png           1 KB          399486       (24 x 24)
20:     00000817.png          889 B          418579       (24 x 24)
21:     00003452.pdf         175 KB         1767649     
Finish: Thu Nov  7 12:11:13 2013


jpg:= 2
gif:= 9
htm:= 7
png:= 3
pdf:= 1

Foremost finished at Thu Nov  7 12:11:13 2013

root@deepspace:/tmp cd output/
audit.txt  gif/       htm/       jpg/       pdf/       png/


So another reason why everybody shall use secure connections (i.e.: IPSEC / TLS / etc.)

Thanks packetlife and evilrouters for the info!

November 3rd, 2013 | Tags: , , ,

Well this was a rumor for a while, but it seems that it is here now. I currently scheduled my lab to 28 Feb, 2014, but I would like to postpone it to May. The question is now, should I?

According to the new INE post, it’s not a good idea.

There are others out there, who tell us not to Panic:

..and, Lindsay Hill create a nice summary post.

So, what the f…? I already contact with the Cert Support Team, and waiting for a specific answer: Should Cisco Systems announce the CCIE exam version change 6 months prior to the implementation of the new exam format, or not?

If the answer is yes, then we don’t need to panic, yet…


Dear Gabor,
Officially Cisco is not obligated to give any notice when retiring an exam, as a courtesy Cisco tries to announce the retirement or change within 6 months of the actual change date.

CCIE Support Specails


September 26th, 2013 | Tags:

The new Cisco Security Advisory Bundle is here:

The next publication is scheduled for March 26, 2014. Let’s put this date in to our calendars.

September 8th, 2013 | Tags: , , ,

Just a quick refresh about the Loop guard STP feature interoperability. We can read about this topic in the  Spanning-Tree Protocol Enhancements using Loop Guard and BPDU Skew Detection Features whitepaper:

The root guard is mutually exclusive with the loop guard. The root guard is used on designated ports, and it does not allow the port to become non-designated. The loop guard works on non-designated ports and does not allow the port to become designated through the expiration of max_age. The root guard cannot be enabled on the same port as the loop guard. When the loop guard is configured on the port, it disables the root guard configured on the same port.

Once you configure loop guard on a root guard enabled port, the switch will happily disable the root guard feature:

Sep  8 10:16:02.943: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port FastEthernet0/13.

What about the Uplink/Backbone fast features?

Both uplink fast and backbone fast are transparent to the loop guard. When max_age is skipped by backbone fast at the time of reconvergence, it does not trigger the loop guard.