GroupStudy.com GroupStudy.com - A virtual community of network engineers Adblock Home BookStore StudyNotes Links Archives StudyRooms HelpWanted Discounts Login I guess I am CCIE(#14539) now...: My checklist #2 revised ( the final armor) for 5 April posted 04/06/2005 [Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next] * Subject: I guess I am CCIE(#14539) now...: My checklist #2 revised ( the final armor) for 5 April * From: Jongsoo kim * Date: Wed, 6 Apr 2005 08:49:49 -0400 * Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=ti8m8eVHFjlZfkj/XEwaoh08go4kb6x2mS8ib0OjwQix7DicOsJvQQDuDaXLjrqoBOFViz1qakodyeJju5cxDa62zSZzlGqcdRpgn5S9DXu9c/EaBOeBjDH1DuihBDExuuZbAjTJVp1/aPwisJmQOJ2Beo1AJc+cmso36ZZil2s= * In-reply-to: * References: Dera All I failed last 28-Feb in RTP and when leaving the RTP, I felt very positively I might have a good chance to pass it ...but yesterday when I was leaving RTP, I knew I finished all the questions on the paper with a confidence that this should be the answer because there is no other ways or I am 100% compliant to the restriction... On the other side, if I failed, I will definitely ask for regrading... However, I also had a feeling what I am going to do if I failed this time after that much of study... Obviously, the confidence that I used to have when I knew only a couple of ways to make it work isn't with me after I learned so many other ways that I didn't know... Anyway, let me go over how our check list worked during my lab. First, I followed it exactly. CAT table, IGP drawing, and BGP drawing. Each of these drawings capture everything but IP address. IGP Darwin has a nice coloring per protocol (well-sharped pencil was really good to use). I was like MLS switch as only first packet of a new flow go through process and all other done by ASIC. Anything missing, I just update my drawing so that I don't have go through again multiple papers, which reduced significantly my brain CPU cycles. I finished L2, IGP, ISDN, and BGP ( with 4 questions( route filters) skipped, unrelated to full reachability) with TCL scrip validation of a good working full reachability before lunch. I couldn't believe how fast I was able to finish OSPF compared to last time. I rebooted router right before lunch. When I came back, I ran again TCL and surprised to find out ping failed to one router and BGP neighbor down. One of default-metric disappeared...which I thought might happen to my other trials.. After I achieve a full reachability by lunch, I knew I am controlling time unlike being controlled by it in my last attempt. It was a totally different game when I can control the time... Whenever I do some flow restriction, I ran TCL to validate I am not breaking any previous works. There was only one question( 2 point) I didn't know...ironically it was the last question of the lab and it was security again related to some flow restriction...Initially I thought it is only 2 point and I'd rather give this up because I didn't want to repeat my nightmare on my 2nd attempt. But I sort of recalled some discussion on groupstudy on similar topic. After some research on CD, I was able to get it right because my solution matched the result criteria. Immediately, I ran TCL script and check all the related protocol. And finally, I rebooted all the routers and Sw of course after "wr" before going to restroom. And I ran again TCL and saw ping drop but I was in a good control because I was confident my config is correct. It turned out that SW OSPF came up later than router... That was the last thing I did. and I walked out... Regards Jongsoo On Apr 4, 2005 2:25 AM, Jongsoo kim wrote: > > Folks Thanks for all the excellent feedback . > > Based on group's feedback and my trial test to see how pratical and > efficient my check list, > I revised some of them. Also I was advised that I can't bring the outside > pens so that I will do coloring with those color pencil available on desk. > > #1 Spend a few minute to understand the point distribution between > Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service, > Security, Mcast) > > #2 Spend a few minute to understand the topology. > Figure out core network, stub network, BB > > #3 Enter Alias command to notepad and copy paste all router. > "show run | b Se" ( surprizingly, I didn't use this command after I build > drawing because I can find out my sub-interface number from drawing! > > #3 Attack F/R ( targetting 10~15 min) > While reading the task,, Draw a quick diagram showing interface type ( ph, > m, p2p). > Configure Router by router not interface by interface > Always 0) shut 1) enc frame-remay 2) no frame inverse 3) no shut. > Ping from spoke to spoke if possible. to vaildate. > If PPP over FR, then always create VT first, user/password > In this way, I was able to do this in 7 min for 3 pvc's ( each pvc has > different interface type). > > #4 Attack CAT ( 25~35 min) > 4-1While reading the task, make VLAN table like below > VL Router CAT1 CAT2 Router VL > 10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10 > 20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30 > 40 R5 f0/0 ------f0/5 > 40 R6 f0/1-------f0/6 > f0/23---f0/23 > f0/24---f0/24 > vl 10 vl40 > client vtp server vtp > Determine VTP mode, trunk mode. > 4-2 Delete vlan data base " delete flash:vlan" before configuring ! > Then configue 1) VTP, 2) Vlan, 3) cat-cat 4) access port, 4) trunk port > 4-3 Read task once again and make sure nothing missed > 4-4 ping vlan by vlan. Select only one device and ping all other on a > specific vlan. > > No need to ping from multiple interface on a same vlan. > > Don't wait for Arp resolution! > CAT takes about 25 minutes in my scenario ( but real lab would take > shorter) > > > > > #5 Attack ATM ( I can spend a lot time if I screwed config. 5~25min ) > > Quickly decide PVC vs SVC > > 5-1 If SVC, then decide "CLIP" or "SVC nsap" > > Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to > > vaildate nsap address. > > 5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap" > > And then decide physical or sub > > 5-1-2 if SVC nsap, decide physical or logical > > 5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group > > 5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay attention > > nssp is HEX! > If PPP over ATM, then always create VT or dialer interface first, then > > user/password > > 5-4 ping and validate > > ############## L2 is over between 40~1:15 > ########################################### > > > > #6 Attack OSPF > Based on my test, it was very important the way I write down on paper in > order to make router-by-router step work. > 6-1 While reading the task, Draw a diagram to configure OSPF router by > router not area by area w/ green coloring.( 10 min) > > Check if there are > > authentication > > stub or nssa. > > virtual link > > Make a note on redistribute, summary, area-range. > > Pay attention DR/BDR, OPSF network type > > Write config separately for interface and ospf on drawing. > For example, the below was my note on drawing I made while I am reading > task. > > For R1 > int s0/0.123 > p2m, md5, > int s0/0.14 > non-bro, pri 0, md5 > int f0/0 > nothing > > ospf > r-id > a 0 md5 > a 12 nssa no-sum, no-red > a 13 stub no-sum > a 12 v r4 md5 > a 14 v r2 md5 > a 5 v r3 md5 > nei R2 > neii R3 > area 5 range > summary > > This method makes configuration time very short but it was extremely > important to not forget anything to configure router-by-router as many > people pointed out. > > > 6-2 Configure OSPF router by router based on drawing in Black ( 10~30 > min) > First Interface and then router ospf > > 6-2-1 Preferred sequence for configuring interface was 1)OPSF network > type based, 2) priority, 3) Authentication, > > 6-2-2 Preferred sequence for configuring OSPF process was from > "easy-to-forget" to "always know" 1) router-id( it seem to only help for > Virtual-link, I will skip if there is no Virtual link ) 2) area > authentication, 3) area virtual link, 4) neighbor, 5) Network (copy past > from interface address) > > 6-2-3 Validate everything is working( show ip os ne, show ip os vir, > show ip os interface, show ip route ), ( 5 min) > > Just a note wth this method, I was able to do OSPF among five routers in > 15 min from drawing to core config not including redistribute/summary/area > range. This is my record time. > Specially, virtual link config really seems to save time. > There isn't much of trap in OSPF like Rip. very easy to validate it as > well. If config work, in most case it should be correct... > > 6-3 Do redistribute, summary, area range ( 5 min) > It was necessary to separately treat area range, or summary > > 6-4 avoid any engagement with giant beasts. But make a note. > > #####OSPF is from 35 ~ 55 Min ( total 1:15 ~2:10)####### > > > 7 Attack RIP( 20~30 min) > > It is very tricky! > > 7-1 add RIP topology into OPSF drawing with blue coloring( 2 min). > It seems Rip doesn't really have much detail info on drawing. > > 7-2 Make sure active/passive interface > WATCH OUT Split-Horizon is off on pfysical FR and ATM ! > > Pay attention of rip update method ( M/B/U) and version, authentication > > Never assume it is always V2!, no auto-summary, mcast, etc > > This selection can be applied to each direction of interface. > > 7-3 Configure router by router( 5 min) per drawing > In fact, core rip configuration is always router by router as rip doesn't > have concept of adjacency per link. > > 7-4 valiadte ( 3 min) > > 7-5 Spend enough time to be absolutely correct on route-filter, > > summary, etc ( 5 min) > > 7-6 If mutual-redistribution is required, make sure multi-exit point > > ot single-exit point. Don't fotget metric. > > If it is multi-exit point, write down "rip subnets" on notepad and do > > the following( 5 min) > > 7-6-1 "redistribute ospf" under "router rip" > > ##### Provent Rip-originated routes entering Rip from OSPF ############ > > "Deny rip routes and permit all" route-map for "redistribute ospf" to > rip > > Don't wait after "clear ip route * " is issued if I am not "idiot!" > > > > 7-6-2 "redistribute rip subnets" under "router ospf" > > ##### Provent OSPF external routes entering OSPF from Rip ##### > > "Permit only rip routes" route-map for "redistribute rip subnets" to > OSPF > > Don't wait after "clear ip route * " is issued if I am not "idiot!" > > > > 7-6-3 distance 121 0.0.0.0 255.255.255.25511 under "router OSPF" > > ##### Fix redistributing router's AD for Rip routes ##### > > distance 121 0.0.0.0 255.255.255.25511 > > "access-list 11 permit rip routes" > > I saw sometimes this takes quite a few second. Don't do "clear ip > > OPSF" or I will end up spending more time just for watching. > > > #### RIP is over 20 ~30 min( total 1:35 ~ 2:40) ############ > > > > 8 Attack EIGRP ( 20~30min) > > 8-1 While reading the task, add EIGRP topology into OPSF drawing in > black w/o blue coloring ( 2 min). > > 8-2 Determine non/passive/active-eigrp interface. Be open minded that > WATCH OUT Split-Horizon is off on pfysical FR and ATM ! > > BB can be multicast/unicast. Load-balance, authentication, stub, > > summary address( 5 min ) > > 8-3 Configure router by router( 5 min) per drawing > > 8-4 validate ( 5 min) > > 8-5 Spend enough time to be absolutely correct on route-filter, > > summary, etc ( 5 min) > > 8-6 If mutual-redistribution is required, make sure multi-exit point > > ot single-exit point. > > > > If it is multi-exit point, write down "eigrp subnets" on notepad ( 5 > min) > > 8-6-1"redistribute ospf" under "router eigrp" > > #####Protect EIGRP external route reentering from OSPF ####### > > "Deny eigrp routes and permit all" route-map for "redistribute ospf" to > eigrp > > Make sure metric is configured. > > > > 8-6-2 "redistribute eigrp subnet" under "router ospf" > > ##### Protect OSPF external routes reentering from EIGRP > > "Only permit eigrp routes" route-map for "redistribute ospf" to eigrp > > Make sure metric is configured. > > > > 8-6-3 distance 121 0.0.0.0 255.255.255.25511 under "router OSPF" > > ##### Fix redistributing router's AD for eigrp external routes ##### > > distance 121 0.0.0.0 255.255.255.25511 > > "access-list 11 permit eigrp routes" > > I saw sometimes this takes quite a few second. Don't do "clear ip > > OPSF" or I will end up spending more time just for watching. > > Technically, only eigrp external route needs to be applied but eigrp > > route won't hurt and make it simple. > > > ######EIGRP is over in 20~30 min (1:55 ~3:10 min) ############## > > > > 9.Attack ISIS ( 10 min) > > 9-1 While reading the task, add ISIS topology into OPSF drawing in black > w/ purple coloring ( 1 min). > > 9-2 determine area type, IS-type, authentication ( domain, area, > > interface level1-2). > > Make sure of correct value of NET ( it is Hex), summary address > > 9-3 Configure router by router. > > 9-4 I don't believe there will be multi-exit mutual redistribution on > ISIS > > Make sure to redistribute connect network from ISIS to OSPF. > > > ###### ISIS is over in 10~15 min ( 2:05 ~3:25) > > > > 10 Attack ISDN ( 15~30 min) > > 10-1 draw ISDN on a separate paper. ( 30 sec) > > 10-2 Determine single/both callers, authentication type( no > > auth/pap/chap), physical/dialer interface. PPP feature = multilink, > > callback, > > 10-3 Figure out back-up method ( floating static/OSPF demand/watch > > group/back-up interface/rip trriger/ snap-shot routing ) focus on how > > full reachability can be accomplished after F/R failed. Make sure > > link is not flapping. > > 10-4 Determine if there is additional task for interesting traffic > filtering. > > 10-5 configure ISDN router by router. > > 10-5-1 select switch type, spid and shut and no shut and show isdn > status. > > make sure L2 is happy! Also make a quick test call using both > > string " isdn test call interface bri0/0 "string" " and disconnect " > > isdn test disconnect interface bri0/0 all" > > 10-5-2 validate the link > > > ###### ISDN is over in 15 ~30 min ( 2:20 ~ 3:55) > > > > 11 Golden Moment ( 5~30 min) > 11.1 Test full reachability with ISDN back-up link off > > Check the Golden moment per NMC meaning the exciting moment when you > > get ping response from every router to every router. > > Run tclsh script > > "foreach addr { > > 1.1.1.1 > > ... > > } { ping $ addr}" > > Just copy past after tclsh ( it is really cool when you see pings go > > through from everywhere to everywhere). To quit, juts type " tclq" > > 11.1 Test full reachability with ISDN back-up link on > 11.2 when ping has no response, write down ip address and troubleshoot. > > Drawing will be the excellent tool for troubleshooting > > Don't bother ISDN link yet. > > > ########### Full reachability is done in 5 ~30 min ( 2:25 ~4:25) > > > 12 Attack BGP( 20 ~40 min) > > 12.1 While reading task, Drawing a BGP topology on a separate paper.( 3 > min) > Drawing is very imnportant in BGP > 12.2 Determine RR or CON or both to do full-mesh iBGP. > > See if neighbor peer-group is required, > > decide ip address ot use bgp session. > > 12.3 Configure router by router not BGP session-by-session > > always put no sync and no auto-summary if allowed. > > 12-4 Spend enough time to be absolutely correct on route-filtering ( > > ACL, prefix-list, as-path filer), route-aggregate(w/ as-set, > > summary-only, supress-map, attribute-map, advertise-map), > > route-manipulation( w/as-prepending, med, local-pref, weight, > > next-hop, advertise-map/non/existing-map, orgin, community, etc ) > > route-dampening, etc. > > 12-5 vaildate config. Use "clear ip bgp * soft " not " clear ip bgp * > and I don't have to wait! > > > ###### BGP is over in 20 ~40 ( 2:45 ~ 5:05) My target is before lunch! > > > > 13 IPv6( 10 min) > > 13-1 draw a sipmple diagram ( 1 min) > > 13-2 Watch out link local address over FR multilink. > > SLA ID is 4th 16bit > > 16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits) > > site-local = FEC0:: > > link-local = fe80:: > > 13-3 Check a full reachability using tcl script or just manual ping > > depneding on the number router. > > > > IPv6 is over 10 min ( total 2:45 ~ 5:15) > > > > ################## Core routing is done #################### > > I should have at least 2:45 hours to go at least. > > > > Strategy will change depending how much time I have at this moment. > > > > 14 I would do multicast first ( 15 min) > > 14-1 While reading task, mark a Mcast topology with red high lighter on > OSPF drawing. > > 14-2 Determine mcast topology ( dense-mode, static RP pim sparse, > > Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP). > Spot any RFP issue per IGP topology > > 14-3 Configure router-by-router > > 14-4 valildate it > > 14-5 If second part is difficult, skip by making a note. > #####Minimum 2:30 left > > 15 IOS/IP service ( 25 min) > > Be careful not to block or drop any IGP updates > > 15-1, just check quikcly and do easy one first. > > 15-2, skip difficult task by making a note > ###### minimum 2:05 left > > 16 QoS ( 30 ~ 40min) > > Be careful not to block or drop any IGP updates > > 16-1 Draw a flow on paper instead of in brain. > > 16-2 Always determine classification method( ACL, NBAR) and direction. > > 16-3 Determine shaping vs policing > > 16-4 Consider all options for queuing( legacy custom/priority, > > bandwidth/priority, shape average/peak, FRTS/GTS) > > 16-5 consider all options for policing ( police, rate-limit, ip > > multicast rate-limit, aggregate police( 3550)) > > 16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn, > foresight) > > 16-7 Consider all droping mode (random detect, ecn, tail drop, marking, > etc) > ##### minimum 1:25 > > 17 Security ( 30~40min) > > Be careful not to block or drop any IGP updates > > 17-1 Draw a flow on paper instead of in brain. > > 17-2 Consdier all options for classification > > std/ext/reflexive/dynamic ACL, > > IP insepct, > > tcp intercept > > unicast RFP, > > ip accouting output packet /access-violation/precedence, > > 17-2 When configuring Switchport port-security mac-address, be careful > > to include vurtual and physical mac if HSRP is running. > ###### minimum 45 min > > > 18 DLSW( 15 min) > > 18.1 Draw a qucik topology ( 1 min) > > 18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show up) > > Peer on-demand( group/border) > > Dynamic peering ( dynamic) > > Loadbalance (round-robin, circuit-count), > > Back-up ( back-up peer or cost) > > DSLW use tcp 2065 and udp 2067 > > NAT can affect DLSW ( higher ip DLSW peer drops) > > 18.3 decide type of filtering > > 18-3-1 Netbios name filter( netbios access-list host xyz permit zyx ) > > Icanreach/icannotreach netbios-name /netbiosexclusive > > > > 18-3-2 MAC address filer ( access-list 700-799, mac-address conevrsion > needed ) > > Icanreach/icannotreach mac-address/mac-exclusive( address conversion) > > > > 18-3-3 LSAP filter ( access-list 200-299 permit ) > > SNA only "access-list 200 permit 0x0000 0x0d0d" > > SNA and Netbios " access-list 200 permit 0xf0f0 0x0101 > > Icanreach/icannotreach saps > > icannotreach saps f0 ( deny netbios) > > > ###### minimum 30 min ############# > I am planing at least 1:30 hour left. > I will do " tcl script " one more time to make sure everything work. > I expect 2 ~ 4 question I will skip. > At this moment, depending on how much time I have, I quckily go back to > the qeustion I skipped. > I will invest my time to something I can see best chance of getting right > out of the skipped ones. > Jongsoo from RTP * Follow-Ups: o Re: I guess I am CCIE(#14539) now...: My checklist #2 revised ( the final armor) for 5 April + From: Dillon Yang o RE: I guess I am CCIE(#14539) now...: My checklist #2 revised ( the final armor) for 5 April + From: Scott Morris o Re: I guess I am CCIE(#14539) now...: My checklist #2 revised ( the final armor) for 5 April + From: Joe Gagznos o RE: I guess I am CCIE(#14539) now...: My checklist #2 revised ( the final armor) for 5 April + From: Eric Taylor o RE: I guess I am CCIE(#14539) now...: My checklist #2 revised ( the final armor) for 5 April + From: simon hart * References: o My checklist ( the final armor) for 5 April + From: Jongsoo kim o My checklist #2 revised ( the final armor) for 5 April + From: Jongsoo kim * Prev by Date: Re: ospf running on 2611's * Next by Date: Re: I guess I am CCIE(#14539) now...: My checklist #2 revised ( the final armor) for 5 April * Previous by thread: RE: My checklist #2 revised ( the final armor) for 5 April * Next by thread: Re: I guess I am CCIE(#14539) now...: My checklist #2 revised ( the final armor) for 5 April * Index(es): o Date o Thread