RE: My checklist ( the final armor) for 5 April

From: Eric Taylor (etaylor10@tampabay.rr.com)
Date: Sun Apr 03 2005 - 00:51:04 GMT-3

One more thing to add and this might be personal preference for most folks,
but once you "think" your done, write the configs and reload the routers if
you have time. Verify everything once they come back up. The routers are
reloaded before they are graded so you will have an idea if everything is
still stable after a reload.

Eric

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jongsoo kim
Sent: Saturday, April 02, 2005 10:28 PM
To: Matt White
Cc: Group Study
Subject: Re: My checklist ( the final armor) for 5 April

Yeah. I know what you meant...And this is my new strategy inspired by
someone.

I've been in a situation that the last question in the exam that has
nothing to do with igp ruins all my IGP losing over 10 points. no time
to recover...
You know my handshaking, brain malfunctioning, and time is up...( feel
like in a deep "shit" )
And later my grade calculation showed I would've passed if I didn't
screw that one...

I kinda figured drawing a topology w/ key note will help me to catach
those traps.
Even I am trapped, it would help me to get out quick.

Also, it can make me to configuire router by router not interface by
interface so investing a little of time may end up saving time.

I like to be calm and keep a constant speed beginning to the end.
1) Figuring out and documenting.
2) configuring it as a whole.

But if I will pass, I will pass and if I fail, I will fail no matter
what... ^ ^

On Apr 2, 2005 9:32 PM, Matt White <mwhite23@gmail.com> wrote:
> Nice thorough list...
>
> Too much writing stuff down IMO, especially since the proctor won't
> look at it. But, if it works for you, do it all.
>
> Good luck.
>
> On Apr 2, 2005, at 9:19 PM, Jongsoo kim wrote:
>
> > This is my first time when I am making my own checklist.
> > I think everyone should make his/her own before CCIE lab !
> >
> > Bring different color pens and high-lighter
> > ( I don't think proctor care about them)
> >
> > #1 Spend a few minute to understand the point distribution between
> > Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service,
> > Security, Mcast)
> >
> > #2 Spend a few minute to understand the topology.
> > Figure out core network, stub network, BB
> >
> > #3 Enter Alias command to notepad and copy paste all router.
> > One of my favorite Aliases are
> > "show run | b Se"
> >
> > #3 Attack F/R ( targetting 10~15 min)
> > Configure Router by router not interface by interface
> > Always 1) enc frame-remay 2) no frame inverse 3) no shut
> > Check if spoke to spoke connectivity is required by checking Core IGP
> > section.
> > ping from spoke to spoke if possible. not hub to spoke.
> >
> > If PPP over FR, then always create VT first, user/password
> >
> > #4 Attack CAT ( 15~20 min)
> > 4-1 Read task and make VLAN table like below
> > VL Router CAT1 CAT2 Router VL
> > 10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10
> > 20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30
> > 40 R5 f0/0 ------f0/5
> > 40 R6 f0/1-------f0/6
> > f0/23---f0/23
> > f0/24---f0/24
> > vl 10 vl40
> > client vtp server vtp
> > 4-2 configure CAT1 and CAT2 and validate
> > 4-3 Read task once again and make sure nothing missed
> > 4-4 ping vlan by vlan. Select only one device and ping all other on a
> > specific vlan.
> > No need to ping from multiple interface on a same vlan.
> > Don't wait for Arp resolution!
> > If PPP over ATM, then always create VT or dialer interface first, then
> > user/password
> >
> > #5 Attack ATM ( I can't spend time if I screwed config. 5~15min )
> > Quickly decide PVC vs SVC
> > 5-1 If SVC, then decide "CLIP" or "SVC nsap"
> > Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to
> > vaildate nsap address.
> > 5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap"
> > And then decide physical or sub
> > 5-1-2 if SVC nsap, decide physical or logical
> > 5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
> > 5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay attention
> > nssp is HEX!
> > 5-4 ping and validate
> >
> > L2 is over between 30~50 min ( Worst case = 60 min)
> >
> > #6 Attack OSPF
> > 6-1 Draw a diagram to configure OSPF router by router not area by
> > area.( 10 min)
> > Check if there are
> > authentication
> > stub or nssa.
> > virtual link
> > Make a note on redistribute, summary, area-range.
> > Pay attention DR/BDR, OPSF network type
> >
> > 6-2
> > Configure OSPF router by router based on drawing in Black w/ green
> > high-lighter( 10~30 min)
> > 6-2-1 Always configure Inteface first for 1)OPSF network type based
> > on DR/BDR, hello interval, etc 2) Authentication, 3) priority 4) Loop
> > interface ospf network type.
> > 6-2-2 configure OSPF process in order of 1) router-id, 2) network (
> > copy past from interface address), 3) neighbor command
> > 6-2-3 Validate everything is working ( 5 min)
> >
> > 6-3 Do redistribute, summary, area range ( 5 min)
> >
> > 6-4 avoid any engagement with giant beasts. But make a note.
> >
> > OSPF is from 25 ~ 45 Min ( total 55 ~1:45)
> >
> > 7 Attack RIP( 20~30 min)
> > It is very tricky!
> > 7-1 add RIP topology into OPSF drawing in blue ( 2 min).
> > 7-2 Make sure active/passive interface
> > Pay attention of rip update method ( M/B/U) and version,
> > authentication
> > Never assume it is always V2!, no auto-summary, mcast, etc
> > This selection can be applied to each direction of interface.
> > 7-3 Configure router by router( 5 min) per drawing
> > 7-4 valiadte ( 3 min)
> > 7-5 Spend enough time to be absolutely correct on route-filter,
> > summary, etc ( 5 min)
> > 7-6 If mutual-redistribution is required, make sure multi-exit point
> > ot single-exit point. Don't fotget metric.
> > If it is multi-exit point, write down "rip subnets" on notepad and do
> > the following( 5 min)
> >
> > 7-6-1 "redistribute ospf" under "router rip"
> > ##### Protect Rip routes reentering from OSPF ############
> > "Deny rip routes and permit all" route-map for "redistribute ospf" to
> > rip
> > Don't wait after "clear ip route * " is issued if I am not "idiot!"
> >
> > 7-6-2 "redistribute rip subnets" under "router ospf"
> > ##### Protect OSPF external routes reentering from Rip #####
> > "Permit only rip routes" route-map for "redistribute rip subnets" to
> > OSPF
> > Don't wait after "clear ip route * " is issued if I am not "idiot!"
> >
> > 7-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
> > ##### Fix redistributing router's AD for Rip routes #####
> > distance 121 0.0.0.0 255.255.255.255 11
> > "access-list 11 permit rip routes"
> > I saw sometimes this takes quite a few second. Don't do "clear ip
> > OPSF" or I will end up spending more time just for watching.
> >
> > RIP is over 20 ~30 min( total 1:15 ~ 2:15)
> >
> > 8 Attack EIGRP ( 20~30min)
> > 8-1 add EIGRP topology into OPSF drawing in black w/o high lighter ( 2
> > min).
> > 8-2 Determine non/passive/active-eigrp interface. Be open minded that
> > BB can be multicast/unicast. Load-balance, authentication, stub,
> > summary address( 5 min )
> > 8-3 Configure router by router( 5 min) per drawing
> > 8-4 validate ( 5 min)
> > 8-5 Spend enough time to be absolutely correct on route-filter,
> > summary, etc ( 5 min)
> > 8-6 If mutual-redistribution is required, make sure multi-exit point
> > ot single-exit point.
> >
> > If it is multi-exit point, write down "eigrp subnets" on notepad ( 5
> > min)
> > 8-6-1"redistribute ospf" under "router eigrp"
> > #####Protect EIGRP external route reentering from OSPF #######
> > "Deny eigrp routes and permit all" route-map for "redistribute ospf"
> > to eigrp
> > Make sure metric is configured.
> >
> > 8-6-2 "redistribute eigrp subnet" under "router ospf"
> > ##### Protect OSPF external routes reentering from EIGRP
> > "Only permit eigrp routes" route-map for "redistribute ospf" to eigrp
> > Make sure metric is configured.
> >
> > 8-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
> > ##### Fix redistributing router's AD for eigrp external routes #####
> > distance 121 0.0.0.0 255.255.255.255 11
> > "access-list 11 permit eigrp routes"
> > I saw sometimes this takes quite a few second. Don't do "clear ip
> > OPSF" or I will end up spending more time just for watching.
> > Technically, only eigrp external route needs to be applied but eigrp
> > route won't hurt and make it simple.
> >
> > EIGRP is over in 20~30 min (1:35 ~2:45 min)
> >
> > 9.Attack ISIS ( 10 min)
> > 9-1 add ISIS topology into OPSF drawing in black w/ purple high
> > lighter ( 2 min).
> > 9-2 determine area type, IS-type, authentication ( domain, area,
> > interface level1-2).
> > Make sure of correct value of NET ( it is Hex), summary address
> > 9-3 Configure router by router.
> > 9-4 I don't believe there will be multi-exit mutual redistribution on
> > ISIS
> > Make sure to redistribute connect network from ISIS to OSPF.
> >
> > ISIS is over in 10~15 min ( 1:45 ~3:00)
> >
> > 10 Attack ISDN ( 15~30 min)
> > 10-1 draw ISDN on a separate paper. ( 30 sec)
> > 10-2 Determine single/both callers, authentication type( no
> > auth/pap/chap), physical/dialer interface. PPP feature = multilink,
> > callback,
> > 10-3 Figure out back-up method ( floating static/OSPF demand/watch
> > group/back-up interface/rip trriger/ snap-shot routing ) focus on how
> > full reachability can be accomplished after F/R failed. Make sure
> > link is not flapping.
> > 10-4 Determine if there is additional task for interesting traffic
> > filtering.
> > 10-5 configure ISDN router by router.
> > 10-5-1 select switch type, spid and shut and no shut and show isdn
> > status.
> > make sure L2 is happy! Also make a quick test call using both
> > string " isdn test call interface bri0/0 "string" " and disconnect "
> > isdn test disconnect interface bri0/0 all"
> > 10-5-2 validate the link
> >
> > ISDN is over in 15 ~30 min ( 2:00 ~ 3:30)
> >
> > 11 Golden Moment ( 5~30 min)
> > Check the Golden moment per NMC meaning the exciting moment when you
> > get ping response from every router to every router.
> > Run tclsh script
> > "foreach addr {
> > 1.1.1.1
> > ...
> > } { ping $ addr}"
> > Just copy past after tclsh ( it is really cool when you see pings go
> > through from everywhere to everywhere). To quit, juts type " tclq"
> >
> > 11.1 when ping has no response, write down ip address and troubleshoot.
> > Drawing will be the excellent tool for troubleshooting
> > Don't bother ISDN link yet.
> >
> > Full reachability is done in 5 ~30 min ( 2:05 ~4:00)
> >
> > 12 Attack BGP( 20 ~40 min)
> > 12.1 Drawing a BGP topology on a separate paper.( 3 min)
> > 12.2 Determine RR or CON or both to do full-mesh iBGP.
> > See if neighbor peer-group is required,
> > decide ip address ot use bgp session.
> > 12.3 Configure router by router not BGP session-by-session
> > always put no sync and no auto-summary if allowed.
> > 12-4 Spend enough time to be absolutely correct on route-filtering (
> > ACL, prefix-list, as-path filer), route-aggregate(w/ as-set,
> > summary-only, supress-map, attribute-map, advertise-map),
> > route-manipulation( w/as-prepending, med, local-pref, weight,
> > next-hop, advertise-map/non/existing-map, orgin, community, etc )
> > route-dampening, etc.
> > 12-5 vaildate config. Don't just wait for route update afer "clear ip
> > bgp *" if you want to pass. It would take longer than a minute !!
> >
> > BGP is over in 20 ~40 ( 2:25 ~ 4:40) My target is before lunch!
> >
> > 13 IPv6( 10 min)
> > 13-1 draw a sipmple diagram ( 1 min)
> > 13-2 Watch out link local address over FR multilink.
> > SLA ID is 4th 16bit
> > 16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
> > site-local = FEC0::
> > link-local = fe80::
> > 13-3 Check a full reachability using tcl script or just manual ping
> > depneding on the number router.
> >
> > IPv6 is over 10 min ( total 2:35 ~ 4 :50)
> >
> > ################## Core routing is done ####################
> > I should have at least 3 hours to go at least.
> >
> > Strategy will change depending how much time I have at this moment.
> >
> > 14 I would do multicast first ( 15 min)
> > 14-1 Mark a Mcast topology with red high lighter on OSPF drawing.
> > 14-2 Determine mcast topology ( dense-mode, static RP pim sparse,
> > Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
> > 14-3 Configure router-by-router
> > 14-4 valildate it
> > 14-5 If second part is difficult, skip by making a note.
> >
> > 15 IOS/IP service
> > Be careful not to block or drop any IGP updates
> > 15-1, just check quikcly and do easy one first.
> > 15-2, skip difficult task by making a note
> >
> > 16 QoS
> > Be careful not to block or drop any IGP updates
> > 16-1 Draw a flow on paper instead of in brain.
> > 16-2 Always determine classification method( ACL, NBAR) and direction.
> > 16-3 Determine shaping vs policing
> > 16-4 Consider all options for queuing( legacy custom/priority,
> > bandwidth/priority, shape average/peak, FRTS/GTS)
> > 16-5 consider all options for policing ( police, rate-limit, ip
> > multicast rate-limit, aggregate police( 3550))
> > 16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn,
> > foresight)
> > 16-7 Consider all droping mode (random detect, ecn, tail drop,
> > marking, etc)
> >
> > 17 Security
> > Be careful not to block or drop any IGP updates
> > 17-1 Draw a flow on paper instead of in brain.
> > 17-2 Consdier all options for classification
> > std/ext/reflexive/dynamic ACL,
> > IP insepct,
> > tcp intercept
> > unicast RFP,
> > ip accouting output packet /access-violation/precedence,
> >
> > 17-2 When configuring Switchport port-security mac-address, be careful
> > to include vurtual and physical mac if HSRP is running.
> >
> > 18 DLSW
> > 18.1 Draw a qucik topology ( 1 min)
> > 18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show
> > up)
> > Peer on-demand( group/border)
> > Dynamic peering ( dynamic)
> > Loadbalance (round-robin, circuit-count),
> > Back-up ( back-up peer or cost)
> > DSLW use tcp 2065 and udp 2067
> > NAT can affect DLSW ( higher ip DLSW peer drops)
> > 18.3 decide type of filtering
> > 18-3-1 Netbios name filter( netbios access-list host xyz permit zyx )
> > Icanreach/icannotreach netbios-name /netbiosexclusive
> >
> > 18-3-2 MAC address filer ( access-list 700-799, mac-address
> > conevrsion needed )
> > Icanreach/icannotreach mac-address/mac-exclusive( address
> > conversion)
> >
> > 18-3-3 LSAP filter ( access-list 200-299 permit )
> > SNA only "access-list 200 permit 0x0000 0x0d0d"
> > SNA and Netbios " access-list 200 permit 0xf0f0 0x0101
> > Icanreach/icannotreach saps
> > icannotreach saps f0 ( deny netbios)
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3