From: Eric Taylor (etaylor10@tampabay.rr.com)
Date: Sun Apr 03 2005 - 00:41:14 GMT-3
Nice checklist.
12-5 vaildate config. Don't just wait for route update afer "clear ip
bgp *" if you want to pass. It would take longer than a minute !!
Try to use "clear ip bgp * soft" after applying filters.
Good Luck!
Eric
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jongsoo kim
Sent: Saturday, April 02, 2005 9:19 PM
To: Group Study
Subject: My checklist ( the final armor) for 5 April
This is my first time when I am making my own checklist.
I think everyone should make his/her own before CCIE lab !
Bring different color pens and high-lighter
( I don't think proctor care about them)
#1 Spend a few minute to understand the point distribution between
Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service,
Security, Mcast)
#2 Spend a few minute to understand the topology.
Figure out core network, stub network, BB
#3 Enter Alias command to notepad and copy paste all router.
One of my favorite Aliases are
"show run | b Se"
#3 Attack F/R ( targetting 10~15 min)
Configure Router by router not interface by interface
Always 1) enc frame-remay 2) no frame inverse 3) no shut
Check if spoke to spoke connectivity is required by checking Core IGP
section.
ping from spoke to spoke if possible. not hub to spoke.
If PPP over FR, then always create VT first, user/password
#4 Attack CAT ( 15~20 min)
4-1 Read task and make VLAN table like below
VL Router CAT1 CAT2 Router VL
10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10
20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30
40 R5 f0/0 ------f0/5
40 R6 f0/1-------f0/6
f0/23---f0/23
f0/24---f0/24
vl 10 vl40
client vtp server vtp
4-2 configure CAT1 and CAT2 and validate
4-3 Read task once again and make sure nothing missed
4-4 ping vlan by vlan. Select only one device and ping all other on a
specific vlan.
No need to ping from multiple interface on a same vlan.
Don't wait for Arp resolution!
If PPP over ATM, then always create VT or dialer interface first, then
user/password
#5 Attack ATM ( I can't spend time if I screwed config. 5~15min )
Quickly decide PVC vs SVC
5-1 If SVC, then decide "CLIP" or "SVC nsap"
Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to
vaildate nsap address.
5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap"
And then decide physical or sub
5-1-2 if SVC nsap, decide physical or logical
5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay attention
nssp is HEX!
5-4 ping and validate
L2 is over between 30~50 min ( Worst case = 60 min)
#6 Attack OSPF
6-1 Draw a diagram to configure OSPF router by router not area by area.( 10
min)
Check if there are
authentication
stub or nssa.
virtual link
Make a note on redistribute, summary, area-range.
Pay attention DR/BDR, OPSF network type
6-2
Configure OSPF router by router based on drawing in Black w/ green
high-lighter( 10~30 min)
6-2-1 Always configure Inteface first for 1)OPSF network type based
on DR/BDR, hello interval, etc 2) Authentication, 3) priority 4) Loop
interface ospf network type.
6-2-2 configure OSPF process in order of 1) router-id, 2) network (
copy past from interface address), 3) neighbor command
6-2-3 Validate everything is working ( 5 min)
6-3 Do redistribute, summary, area range ( 5 min)
6-4 avoid any engagement with giant beasts. But make a note.
OSPF is from 25 ~ 45 Min ( total 55 ~1:45)
7 Attack RIP( 20~30 min)
It is very tricky!
7-1 add RIP topology into OPSF drawing in blue ( 2 min).
7-2 Make sure active/passive interface
Pay attention of rip update method ( M/B/U) and version,
authentication
Never assume it is always V2!, no auto-summary, mcast, etc
This selection can be applied to each direction of interface.
7-3 Configure router by router( 5 min) per drawing
7-4 valiadte ( 3 min)
7-5 Spend enough time to be absolutely correct on route-filter,
summary, etc ( 5 min)
7-6 If mutual-redistribution is required, make sure multi-exit point
ot single-exit point. Don't fotget metric.
If it is multi-exit point, write down "rip subnets" on notepad and do
the following( 5 min)
7-6-1 "redistribute ospf" under "router rip"
##### Protect Rip routes reentering from OSPF ############
"Deny rip routes and permit all" route-map for "redistribute ospf" to rip
Don't wait after "clear ip route * " is issued if I am not "idiot!"
7-6-2 "redistribute rip subnets" under "router ospf"
##### Protect OSPF external routes reentering from Rip #####
"Permit only rip routes" route-map for "redistribute rip subnets" to OSPF
Don't wait after "clear ip route * " is issued if I am not "idiot!"
7-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
##### Fix redistributing router's AD for Rip routes #####
distance 121 0.0.0.0 255.255.255.255 11
"access-list 11 permit rip routes"
I saw sometimes this takes quite a few second. Don't do "clear ip
OPSF" or I will end up spending more time just for watching.
RIP is over 20 ~30 min( total 1:15 ~ 2:15)
8 Attack EIGRP ( 20~30min)
8-1 add EIGRP topology into OPSF drawing in black w/o high lighter ( 2 min).
8-2 Determine non/passive/active-eigrp interface. Be open minded that
BB can be multicast/unicast. Load-balance, authentication, stub,
summary address( 5 min )
8-3 Configure router by router( 5 min) per drawing
8-4 validate ( 5 min)
8-5 Spend enough time to be absolutely correct on route-filter,
summary, etc ( 5 min)
8-6 If mutual-redistribution is required, make sure multi-exit point
ot single-exit point.
If it is multi-exit point, write down "eigrp subnets" on notepad ( 5 min)
8-6-1"redistribute ospf" under "router eigrp"
#####Protect EIGRP external route reentering from OSPF #######
"Deny eigrp routes and permit all" route-map for "redistribute ospf" to
eigrp
Make sure metric is configured.
8-6-2 "redistribute eigrp subnet" under "router ospf"
##### Protect OSPF external routes reentering from EIGRP
"Only permit eigrp routes" route-map for "redistribute ospf" to eigrp
Make sure metric is configured.
8-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
##### Fix redistributing router's AD for eigrp external routes #####
distance 121 0.0.0.0 255.255.255.255 11
"access-list 11 permit eigrp routes"
I saw sometimes this takes quite a few second. Don't do "clear ip
OPSF" or I will end up spending more time just for watching.
Technically, only eigrp external route needs to be applied but eigrp
route won't hurt and make it simple.
EIGRP is over in 20~30 min (1:35 ~2:45 min)
9.Attack ISIS ( 10 min)
9-1 add ISIS topology into OPSF drawing in black w/ purple high
lighter ( 2 min).
9-2 determine area type, IS-type, authentication ( domain, area,
interface level1-2).
Make sure of correct value of NET ( it is Hex), summary address
9-3 Configure router by router.
9-4 I don't believe there will be multi-exit mutual redistribution on ISIS
Make sure to redistribute connect network from ISIS to OSPF.
ISIS is over in 10~15 min ( 1:45 ~3:00)
10 Attack ISDN ( 15~30 min)
10-1 draw ISDN on a separate paper. ( 30 sec)
10-2 Determine single/both callers, authentication type( no
auth/pap/chap), physical/dialer interface. PPP feature = multilink,
callback,
10-3 Figure out back-up method ( floating static/OSPF demand/watch
group/back-up interface/rip trriger/ snap-shot routing ) focus on how
full reachability can be accomplished after F/R failed. Make sure
link is not flapping.
10-4 Determine if there is additional task for interesting traffic
filtering.
10-5 configure ISDN router by router.
10-5-1 select switch type, spid and shut and no shut and show isdn status.
make sure L2 is happy! Also make a quick test call using both
string " isdn test call interface bri0/0 "string" " and disconnect "
isdn test disconnect interface bri0/0 all"
10-5-2 validate the link
ISDN is over in 15 ~30 min ( 2:00 ~ 3:30)
11 Golden Moment ( 5~30 min)
Check the Golden moment per NMC meaning the exciting moment when you
get ping response from every router to every router.
Run tclsh script
"foreach addr {
1.1.1.1
...
} { ping $ addr}"
Just copy past after tclsh ( it is really cool when you see pings go
through from everywhere to everywhere). To quit, juts type " tclq"
11.1 when ping has no response, write down ip address and troubleshoot.
Drawing will be the excellent tool for troubleshooting
Don't bother ISDN link yet.
Full reachability is done in 5 ~30 min ( 2:05 ~4:00)
12 Attack BGP( 20 ~40 min)
12.1 Drawing a BGP topology on a separate paper.( 3 min)
12.2 Determine RR or CON or both to do full-mesh iBGP.
See if neighbor peer-group is required,
decide ip address ot use bgp session.
12.3 Configure router by router not BGP session-by-session
always put no sync and no auto-summary if allowed.
12-4 Spend enough time to be absolutely correct on route-filtering (
ACL, prefix-list, as-path filer), route-aggregate(w/ as-set,
summary-only, supress-map, attribute-map, advertise-map),
route-manipulation( w/as-prepending, med, local-pref, weight,
next-hop, advertise-map/non/existing-map, orgin, community, etc )
route-dampening, etc.
12-5 vaildate config. Don't just wait for route update afer "clear ip
bgp *" if you want to pass. It would take longer than a minute !!
BGP is over in 20 ~40 ( 2:25 ~ 4:40) My target is before lunch!
13 IPv6( 10 min)
13-1 draw a sipmple diagram ( 1 min)
13-2 Watch out link local address over FR multilink.
SLA ID is 4th 16bit
16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
site-local = FEC0::
link-local = fe80::
13-3 Check a full reachability using tcl script or just manual ping
depneding on the number router.
IPv6 is over 10 min ( total 2:35 ~ 4 :50)
################## Core routing is done ####################
I should have at least 3 hours to go at least.
Strategy will change depending how much time I have at this moment.
14 I would do multicast first ( 15 min)
14-1 Mark a Mcast topology with red high lighter on OSPF drawing.
14-2 Determine mcast topology ( dense-mode, static RP pim sparse,
Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
14-3 Configure router-by-router
14-4 valildate it
14-5 If second part is difficult, skip by making a note.
15 IOS/IP service
Be careful not to block or drop any IGP updates
15-1, just check quikcly and do easy one first.
15-2, skip difficult task by making a note
16 QoS
Be careful not to block or drop any IGP updates
16-1 Draw a flow on paper instead of in brain.
16-2 Always determine classification method( ACL, NBAR) and direction.
16-3 Determine shaping vs policing
16-4 Consider all options for queuing( legacy custom/priority,
bandwidth/priority, shape average/peak, FRTS/GTS)
16-5 consider all options for policing ( police, rate-limit, ip
multicast rate-limit, aggregate police( 3550))
16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn, foresight)
16-7 Consider all droping mode (random detect, ecn, tail drop, marking, etc)
17 Security
Be careful not to block or drop any IGP updates
17-1 Draw a flow on paper instead of in brain.
17-2 Consdier all options for classification
std/ext/reflexive/dynamic ACL,
IP insepct,
tcp intercept
unicast RFP,
ip accouting output packet /access-violation/precedence,
17-2 When configuring Switchport port-security mac-address, be careful
to include vurtual and physical mac if HSRP is running.
18 DLSW
18.1 Draw a qucik topology ( 1 min)
18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show up)
Peer on-demand( group/border)
Dynamic peering ( dynamic)
Loadbalance (round-robin, circuit-count),
Back-up ( back-up peer or cost)
DSLW use tcp 2065 and udp 2067
NAT can affect DLSW ( higher ip DLSW peer drops)
18.3 decide type of filtering
18-3-1 Netbios name filter( netbios access-list host xyz permit zyx )
Icanreach/icannotreach netbios-name /netbiosexclusive
18-3-2 MAC address filer ( access-list 700-799, mac-address conevrsion
needed )
Icanreach/icannotreach mac-address/mac-exclusive( address
conversion)
18-3-3 LSAP filter ( access-list 200-299 permit )
SNA only "access-list 200 permit 0x0000 0x0d0d"
SNA and Netbios " access-list 200 permit 0xf0f0 0x0101
Icanreach/icannotreach saps
icannotreach saps f0 ( deny netbios)
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:51 GMT-3