RE: My checklist ( the final armor) for 5 April

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sun Apr 03 2005 - 02:03:47 GMT-3

Jongsoo,
        I didn't notice it in your checklist and I could have overlooked
it but do you have plans to a reachability test when the backup method
is active?

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jongsoo kim
Sent: Saturday, April 02, 2005 8:50 PM
To: Eric Taylor
Cc: Group Study
Subject: Re: My checklist ( the final armor) for 5 April

Excellent Eric !
The stuff like " clear ip bgp * soft" is exactly what I am looking
for from study group.

On Apr 2, 2005 10:41 PM, Eric Taylor <etaylor10@tampabay.rr.com> wrote:
> Nice checklist.
>
> 12-5 vaildate config. Don't just wait for route update afer "clear ip
> bgp *" if you want to pass. It would take longer than a minute !!
>
> Try to use "clear ip bgp * soft" after applying filters.
>
> Good Luck!
>
> Eric
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Jongsoo kim
> Sent: Saturday, April 02, 2005 9:19 PM
> To: Group Study
> Subject: My checklist ( the final armor) for 5 April
>
> This is my first time when I am making my own checklist.
> I think everyone should make his/her own before CCIE lab !
>
> Bring different color pens and high-lighter
> ( I don't think proctor care about them)
>
> #1 Spend a few minute to understand the point distribution between
> Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service,
> Security, Mcast)
>
> #2 Spend a few minute to understand the topology.
> Figure out core network, stub network, BB
>
> #3 Enter Alias command to notepad and copy paste all router.
> One of my favorite Aliases are
> "show run | b Se"
>
> #3 Attack F/R ( targetting 10~15 min)
> Configure Router by router not interface by interface
> Always 1) enc frame-remay 2) no frame inverse 3) no shut
> Check if spoke to spoke connectivity is required by checking Core IGP
> section.
> ping from spoke to spoke if possible. not hub to spoke.
>
> If PPP over FR, then always create VT first, user/password
>
> #4 Attack CAT ( 15~20 min)
> 4-1 Read task and make VLAN table like below
> VL Router CAT1 CAT2 Router VL
> 10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10
> 20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30
> 40 R5 f0/0 ------f0/5
> 40 R6 f0/1-------f0/6
> f0/23---f0/23
> f0/24---f0/24
> vl 10 vl40
> client vtp server vtp
> 4-2 configure CAT1 and CAT2 and validate
> 4-3 Read task once again and make sure nothing missed
> 4-4 ping vlan by vlan. Select only one device and ping all other on a
> specific vlan.
> No need to ping from multiple interface on a same vlan.
> Don't wait for Arp resolution!
> If PPP over ATM, then always create VT or dialer interface first, then
> user/password
>
> #5 Attack ATM ( I can't spend time if I screwed config. 5~15min )
> Quickly decide PVC vs SVC
> 5-1 If SVC, then decide "CLIP" or "SVC nsap"
> Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to
> vaildate nsap address.
> 5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap"
> And then decide physical or sub
> 5-1-2 if SVC nsap, decide physical or logical
> 5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
> 5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay attention
> nssp is HEX!
> 5-4 ping and validate
>
> L2 is over between 30~50 min ( Worst case = 60 min)
>
> #6 Attack OSPF
> 6-1 Draw a diagram to configure OSPF router by router not area by
area.( 10
> min)
> Check if there are
> authentication
> stub or nssa.
> virtual link
> Make a note on redistribute, summary, area-range.
> Pay attention DR/BDR, OPSF network type
>
> 6-2
> Configure OSPF router by router based on drawing in Black w/ green
> high-lighter( 10~30 min)
> 6-2-1 Always configure Inteface first for 1)OPSF network type based
> on DR/BDR, hello interval, etc 2) Authentication, 3) priority 4) Loop
> interface ospf network type.
> 6-2-2 configure OSPF process in order of 1) router-id, 2) network (
> copy past from interface address), 3) neighbor command
> 6-2-3 Validate everything is working ( 5 min)
>
> 6-3 Do redistribute, summary, area range ( 5 min)
>
> 6-4 avoid any engagement with giant beasts. But make a note.
>
> OSPF is from 25 ~ 45 Min ( total 55 ~1:45)
>
> 7 Attack RIP( 20~30 min)
> It is very tricky!
> 7-1 add RIP topology into OPSF drawing in blue ( 2 min).
> 7-2 Make sure active/passive interface
> Pay attention of rip update method ( M/B/U) and version,
> authentication
> Never assume it is always V2!, no auto-summary, mcast, etc
> This selection can be applied to each direction of interface.
> 7-3 Configure router by router( 5 min) per drawing
> 7-4 valiadte ( 3 min)
> 7-5 Spend enough time to be absolutely correct on route-filter,
> summary, etc ( 5 min)
> 7-6 If mutual-redistribution is required, make sure multi-exit point
> ot single-exit point. Don't fotget metric.
> If it is multi-exit point, write down "rip subnets" on notepad and do
> the following( 5 min)
>
> 7-6-1 "redistribute ospf" under "router rip"
> ##### Protect Rip routes reentering from OSPF ############
> "Deny rip routes and permit all" route-map for "redistribute ospf" to
rip
> Don't wait after "clear ip route * " is issued if I am not "idiot!"
>
> 7-6-2 "redistribute rip subnets" under "router ospf"
> ##### Protect OSPF external routes reentering from Rip #####
> "Permit only rip routes" route-map for "redistribute rip subnets" to
OSPF
> Don't wait after "clear ip route * " is issued if I am not "idiot!"
>
> 7-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
> ##### Fix redistributing router's AD for Rip routes #####
> distance 121 0.0.0.0 255.255.255.255 11
> "access-list 11 permit rip routes"
> I saw sometimes this takes quite a few second. Don't do "clear ip
> OPSF" or I will end up spending more time just for watching.
>
> RIP is over 20 ~30 min( total 1:15 ~ 2:15)
>
> 8 Attack EIGRP ( 20~30min)
> 8-1 add EIGRP topology into OPSF drawing in black w/o high lighter ( 2
min).
> 8-2 Determine non/passive/active-eigrp interface. Be open minded that
> BB can be multicast/unicast. Load-balance, authentication, stub,
> summary address( 5 min )
> 8-3 Configure router by router( 5 min) per drawing
> 8-4 validate ( 5 min)
> 8-5 Spend enough time to be absolutely correct on route-filter,
> summary, etc ( 5 min)
> 8-6 If mutual-redistribution is required, make sure multi-exit point
> ot single-exit point.
>
> If it is multi-exit point, write down "eigrp subnets" on notepad ( 5
min)
> 8-6-1"redistribute ospf" under "router eigrp"
> #####Protect EIGRP external route reentering from OSPF #######
> "Deny eigrp routes and permit all" route-map for "redistribute ospf"
to
> eigrp
> Make sure metric is configured.
>
> 8-6-2 "redistribute eigrp subnet" under "router ospf"
> ##### Protect OSPF external routes reentering from EIGRP
> "Only permit eigrp routes" route-map for "redistribute ospf" to eigrp
> Make sure metric is configured.
>
> 8-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
> ##### Fix redistributing router's AD for eigrp external routes #####
> distance 121 0.0.0.0 255.255.255.255 11
> "access-list 11 permit eigrp routes"
> I saw sometimes this takes quite a few second. Don't do "clear ip
> OPSF" or I will end up spending more time just for watching.
> Technically, only eigrp external route needs to be applied but eigrp
> route won't hurt and make it simple.
>
> EIGRP is over in 20~30 min (1:35 ~2:45 min)
>
> 9.Attack ISIS ( 10 min)
> 9-1 add ISIS topology into OPSF drawing in black w/ purple high
> lighter ( 2 min).
> 9-2 determine area type, IS-type, authentication ( domain, area,
> interface level1-2).
> Make sure of correct value of NET ( it is Hex), summary address
> 9-3 Configure router by router.
> 9-4 I don't believe there will be multi-exit mutual redistribution on
ISIS
> Make sure to redistribute connect network from ISIS to OSPF.
>
> ISIS is over in 10~15 min ( 1:45 ~3:00)
>
> 10 Attack ISDN ( 15~30 min)
> 10-1 draw ISDN on a separate paper. ( 30 sec)
> 10-2 Determine single/both callers, authentication type( no
> auth/pap/chap), physical/dialer interface. PPP feature = multilink,
> callback,
> 10-3 Figure out back-up method ( floating static/OSPF demand/watch
> group/back-up interface/rip trriger/ snap-shot routing ) focus on how
> full reachability can be accomplished after F/R failed. Make sure
> link is not flapping.
> 10-4 Determine if there is additional task for interesting traffic
> filtering.
> 10-5 configure ISDN router by router.
> 10-5-1 select switch type, spid and shut and no shut and show isdn
status.
> make sure L2 is happy! Also make a quick test call using both
> string " isdn test call interface bri0/0 "string" " and disconnect "
> isdn test disconnect interface bri0/0 all"
> 10-5-2 validate the link
>
> ISDN is over in 15 ~30 min ( 2:00 ~ 3:30)
>
> 11 Golden Moment ( 5~30 min)
> Check the Golden moment per NMC meaning the exciting moment when you
> get ping response from every router to every router.
> Run tclsh script
> "foreach addr {
> 1.1.1.1
> ...
> } { ping $ addr}"
> Just copy past after tclsh ( it is really cool when you see pings go
> through from everywhere to everywhere). To quit, juts type " tclq"
>
> 11.1 when ping has no response, write down ip address and
troubleshoot.
> Drawing will be the excellent tool for troubleshooting
> Don't bother ISDN link yet.
>
> Full reachability is done in 5 ~30 min ( 2:05 ~4:00)
>
> 12 Attack BGP( 20 ~40 min)
> 12.1 Drawing a BGP topology on a separate paper.( 3 min)
> 12.2 Determine RR or CON or both to do full-mesh iBGP.
> See if neighbor peer-group is required,
> decide ip address ot use bgp session.
> 12.3 Configure router by router not BGP session-by-session
> always put no sync and no auto-summary if allowed.
> 12-4 Spend enough time to be absolutely correct on route-filtering (
> ACL, prefix-list, as-path filer), route-aggregate(w/ as-set,
> summary-only, supress-map, attribute-map, advertise-map),
> route-manipulation( w/as-prepending, med, local-pref, weight,
> next-hop, advertise-map/non/existing-map, orgin, community, etc )
> route-dampening, etc.
> 12-5 vaildate config. Don't just wait for route update afer "clear ip
> bgp *" if you want to pass. It would take longer than a minute !!
>
> BGP is over in 20 ~40 ( 2:25 ~ 4:40) My target is before lunch!
>
> 13 IPv6( 10 min)
> 13-1 draw a sipmple diagram ( 1 min)
> 13-2 Watch out link local address over FR multilink.
> SLA ID is 4th 16bit
> 16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
> site-local = FEC0::
> link-local = fe80::
> 13-3 Check a full reachability using tcl script or just manual ping
> depneding on the number router.
>
> IPv6 is over 10 min ( total 2:35 ~ 4 :50)
>
> ################## Core routing is done ####################
> I should have at least 3 hours to go at least.
>
> Strategy will change depending how much time I have at this moment.
>
> 14 I would do multicast first ( 15 min)
> 14-1 Mark a Mcast topology with red high lighter on OSPF drawing.
> 14-2 Determine mcast topology ( dense-mode, static RP pim sparse,
> Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
> 14-3 Configure router-by-router
> 14-4 valildate it
> 14-5 If second part is difficult, skip by making a note.
>
> 15 IOS/IP service
> Be careful not to block or drop any IGP updates
> 15-1, just check quikcly and do easy one first.
> 15-2, skip difficult task by making a note
>
> 16 QoS
> Be careful not to block or drop any IGP updates
> 16-1 Draw a flow on paper instead of in brain.
> 16-2 Always determine classification method( ACL, NBAR) and direction.
> 16-3 Determine shaping vs policing
> 16-4 Consider all options for queuing( legacy custom/priority,
> bandwidth/priority, shape average/peak, FRTS/GTS)
> 16-5 consider all options for policing ( police, rate-limit, ip
> multicast rate-limit, aggregate police( 3550))
> 16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn,
foresight)
> 16-7 Consider all droping mode (random detect, ecn, tail drop,
marking, etc)
>
> 17 Security
> Be careful not to block or drop any IGP updates
> 17-1 Draw a flow on paper instead of in brain.
> 17-2 Consdier all options for classification
> std/ext/reflexive/dynamic ACL,
> IP insepct,
> tcp intercept
> unicast RFP,
> ip accouting output packet /access-violation/precedence,
>
> 17-2 When configuring Switchport port-security mac-address, be careful
> to include vurtual and physical mac if HSRP is running.
>
> 18 DLSW
> 18.1 Draw a qucik topology ( 1 min)
> 18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show
up)
> Peer on-demand( group/border)
> Dynamic peering ( dynamic)
> Loadbalance (round-robin, circuit-count),
> Back-up ( back-up peer or cost)
> DSLW use tcp 2065 and udp 2067
> NAT can affect DLSW ( higher ip DLSW peer drops)
> 18.3 decide type of filtering
> 18-3-1 Netbios name filter( netbios access-list host xyz permit zyx )
> Icanreach/icannotreach netbios-name /netbiosexclusive
>
> 18-3-2 MAC address filer ( access-list 700-799, mac-address
conevrsion
> needed )
> Icanreach/icannotreach mac-address/mac-exclusive( address
> conversion)
>
> 18-3-3 LSAP filter ( access-list 200-299 permit )
> SNA only "access-list 200 permit 0x0000 0x0d0d"
> SNA and Netbios " access-list 200 permit 0xf0f0 0x0101
> Icanreach/icannotreach saps
> icannotreach saps f0 ( deny netbios)
>
>

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3