From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sun Apr 03 2005 - 03:13:08 GMT-3
Also you should look at where you have multicast routing enabled and the
"flow" of your unicast routing to determine if you have the possibility
of RPF failures. This should be one of the first things you do when
configuring multicast.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: Jongsoo kim [mailto:bstrt2002@gmail.com]
Sent: Saturday, April 02, 2005 9:41 PM
To: Brian Dennis
Cc: Group Study
Subject: Re: My checklist ( the final armor) for 5 April
Another execellent tip I didn't even think about Thanks Brian !
On Apr 3, 2005 12:03 AM, Brian Dennis <bdennis@internetworkexpert.com>
wrote:
> Jongsoo,
> I didn't notice it in your checklist and I could have
overlooked
> it but do you have plans to a reachability test when the backup method
> is active?
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Jongsoo kim
> Sent: Saturday, April 02, 2005 8:50 PM
> To: Eric Taylor
> Cc: Group Study
> Subject: Re: My checklist ( the final armor) for 5 April
>
> Excellent Eric !
> The stuff like " clear ip bgp * soft" is exactly what I am looking
> for from study group.
>
> On Apr 2, 2005 10:41 PM, Eric Taylor <etaylor10@tampabay.rr.com>
wrote:
> > Nice checklist.
> >
> > 12-5 vaildate config. Don't just wait for route update afer "clear
ip
> > bgp *" if you want to pass. It would take longer than a minute !!
> >
> > Try to use "clear ip bgp * soft" after applying filters.
> >
> > Good Luck!
> >
> > Eric
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
> > Jongsoo kim
> > Sent: Saturday, April 02, 2005 9:19 PM
> > To: Group Study
> > Subject: My checklist ( the final armor) for 5 April
> >
> > This is my first time when I am making my own checklist.
> > I think everyone should make his/her own before CCIE lab !
> >
> > Bring different color pens and high-lighter
> > ( I don't think proctor care about them)
> >
> > #1 Spend a few minute to understand the point distribution between
> > Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service,
> > Security, Mcast)
> >
> > #2 Spend a few minute to understand the topology.
> > Figure out core network, stub network, BB
> >
> > #3 Enter Alias command to notepad and copy paste all router.
> > One of my favorite Aliases are
> > "show run | b Se"
> >
> > #3 Attack F/R ( targetting 10~15 min)
> > Configure Router by router not interface by interface
> > Always 1) enc frame-remay 2) no frame inverse 3) no shut
> > Check if spoke to spoke connectivity is required by checking Core
IGP
> > section.
> > ping from spoke to spoke if possible. not hub to spoke.
> >
> > If PPP over FR, then always create VT first, user/password
> >
> > #4 Attack CAT ( 15~20 min)
> > 4-1 Read task and make VLAN table like below
> > VL Router CAT1 CAT2 Router VL
> > 10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10
> > 20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30
> > 40 R5 f0/0 ------f0/5
> > 40 R6 f0/1-------f0/6
> > f0/23---f0/23
> > f0/24---f0/24
> > vl 10 vl40
> > client vtp server vtp
> > 4-2 configure CAT1 and CAT2 and validate
> > 4-3 Read task once again and make sure nothing missed
> > 4-4 ping vlan by vlan. Select only one device and ping all other on
a
> > specific vlan.
> > No need to ping from multiple interface on a same vlan.
> > Don't wait for Arp resolution!
> > If PPP over ATM, then always create VT or dialer interface first,
then
> > user/password
> >
> > #5 Attack ATM ( I can't spend time if I screwed config. 5~15min )
> > Quickly decide PVC vs SVC
> > 5-1 If SVC, then decide "CLIP" or "SVC nsap"
> > Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to
> > vaildate nsap address.
> > 5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap"
> > And then decide physical or sub
> > 5-1-2 if SVC nsap, decide physical or logical
> > 5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
> > 5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay
attention
> > nssp is HEX!
> > 5-4 ping and validate
> >
> > L2 is over between 30~50 min ( Worst case = 60 min)
> >
> > #6 Attack OSPF
> > 6-1 Draw a diagram to configure OSPF router by router not area by
> area.( 10
> > min)
> > Check if there are
> > authentication
> > stub or nssa.
> > virtual link
> > Make a note on redistribute, summary, area-range.
> > Pay attention DR/BDR, OPSF network type
> >
> > 6-2
> > Configure OSPF router by router based on drawing in Black w/ green
> > high-lighter( 10~30 min)
> > 6-2-1 Always configure Inteface first for 1)OPSF network type
based
> > on DR/BDR, hello interval, etc 2) Authentication, 3) priority 4)
Loop
> > interface ospf network type.
> > 6-2-2 configure OSPF process in order of 1) router-id, 2) network (
> > copy past from interface address), 3) neighbor command
> > 6-2-3 Validate everything is working ( 5 min)
> >
> > 6-3 Do redistribute, summary, area range ( 5 min)
> >
> > 6-4 avoid any engagement with giant beasts. But make a note.
> >
> > OSPF is from 25 ~ 45 Min ( total 55 ~1:45)
> >
> > 7 Attack RIP( 20~30 min)
> > It is very tricky!
> > 7-1 add RIP topology into OPSF drawing in blue ( 2 min).
> > 7-2 Make sure active/passive interface
> > Pay attention of rip update method ( M/B/U) and version,
> > authentication
> > Never assume it is always V2!, no auto-summary, mcast, etc
> > This selection can be applied to each direction of interface.
> > 7-3 Configure router by router( 5 min) per drawing
> > 7-4 valiadte ( 3 min)
> > 7-5 Spend enough time to be absolutely correct on route-filter,
> > summary, etc ( 5 min)
> > 7-6 If mutual-redistribution is required, make sure multi-exit point
> > ot single-exit point. Don't fotget metric.
> > If it is multi-exit point, write down "rip subnets" on notepad and
do
> > the following( 5 min)
> >
> > 7-6-1 "redistribute ospf" under "router rip"
> > ##### Protect Rip routes reentering from OSPF ############
> > "Deny rip routes and permit all" route-map for "redistribute ospf"
to
> rip
> > Don't wait after "clear ip route * " is issued if I am not "idiot!"
> >
> > 7-6-2 "redistribute rip subnets" under "router ospf"
> > ##### Protect OSPF external routes reentering from Rip #####
> > "Permit only rip routes" route-map for "redistribute rip subnets" to
> OSPF
> > Don't wait after "clear ip route * " is issued if I am not "idiot!"
> >
> > 7-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
> > ##### Fix redistributing router's AD for Rip routes #####
> > distance 121 0.0.0.0 255.255.255.255 11
> > "access-list 11 permit rip routes"
> > I saw sometimes this takes quite a few second. Don't do "clear ip
> > OPSF" or I will end up spending more time just for watching.
> >
> > RIP is over 20 ~30 min( total 1:15 ~ 2:15)
> >
> > 8 Attack EIGRP ( 20~30min)
> > 8-1 add EIGRP topology into OPSF drawing in black w/o high lighter (
2
> min).
> > 8-2 Determine non/passive/active-eigrp interface. Be open minded
that
> > BB can be multicast/unicast. Load-balance, authentication, stub,
> > summary address( 5 min )
> > 8-3 Configure router by router( 5 min) per drawing
> > 8-4 validate ( 5 min)
> > 8-5 Spend enough time to be absolutely correct on route-filter,
> > summary, etc ( 5 min)
> > 8-6 If mutual-redistribution is required, make sure multi-exit point
> > ot single-exit point.
> >
> > If it is multi-exit point, write down "eigrp subnets" on notepad ( 5
> min)
> > 8-6-1"redistribute ospf" under "router eigrp"
> > #####Protect EIGRP external route reentering from OSPF #######
> > "Deny eigrp routes and permit all" route-map for "redistribute ospf"
> to
> > eigrp
> > Make sure metric is configured.
> >
> > 8-6-2 "redistribute eigrp subnet" under "router ospf"
> > ##### Protect OSPF external routes reentering from EIGRP
> > "Only permit eigrp routes" route-map for "redistribute ospf" to
eigrp
> > Make sure metric is configured.
> >
> > 8-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
> > ##### Fix redistributing router's AD for eigrp external routes #####
> > distance 121 0.0.0.0 255.255.255.255 11
> > "access-list 11 permit eigrp routes"
> > I saw sometimes this takes quite a few second. Don't do "clear ip
> > OPSF" or I will end up spending more time just for watching.
> > Technically, only eigrp external route needs to be applied but eigrp
> > route won't hurt and make it simple.
> >
> > EIGRP is over in 20~30 min (1:35 ~2:45 min)
> >
> > 9.Attack ISIS ( 10 min)
> > 9-1 add ISIS topology into OPSF drawing in black w/ purple high
> > lighter ( 2 min).
> > 9-2 determine area type, IS-type, authentication ( domain, area,
> > interface level1-2).
> > Make sure of correct value of NET ( it is Hex), summary address
> > 9-3 Configure router by router.
> > 9-4 I don't believe there will be multi-exit mutual redistribution
on
> ISIS
> > Make sure to redistribute connect network from ISIS to OSPF.
> >
> > ISIS is over in 10~15 min ( 1:45 ~3:00)
> >
> > 10 Attack ISDN ( 15~30 min)
> > 10-1 draw ISDN on a separate paper. ( 30 sec)
> > 10-2 Determine single/both callers, authentication type( no
> > auth/pap/chap), physical/dialer interface. PPP feature = multilink,
> > callback,
> > 10-3 Figure out back-up method ( floating static/OSPF demand/watch
> > group/back-up interface/rip trriger/ snap-shot routing ) focus on
how
> > full reachability can be accomplished after F/R failed. Make sure
> > link is not flapping.
> > 10-4 Determine if there is additional task for interesting traffic
> > filtering.
> > 10-5 configure ISDN router by router.
> > 10-5-1 select switch type, spid and shut and no shut and show isdn
> status.
> > make sure L2 is happy! Also make a quick test call using both
> > string " isdn test call interface bri0/0 "string" " and disconnect "
> > isdn test disconnect interface bri0/0 all"
> > 10-5-2 validate the link
> >
> > ISDN is over in 15 ~30 min ( 2:00 ~ 3:30)
> >
> > 11 Golden Moment ( 5~30 min)
> > Check the Golden moment per NMC meaning the exciting moment when you
> > get ping response from every router to every router.
> > Run tclsh script
> > "foreach addr {
> > 1.1.1.1
> > ...
> > } { ping $ addr}"
> > Just copy past after tclsh ( it is really cool when you see pings go
> > through from everywhere to everywhere). To quit, juts type " tclq"
> >
> > 11.1 when ping has no response, write down ip address and
> troubleshoot.
> > Drawing will be the excellent tool for troubleshooting
> > Don't bother ISDN link yet.
> >
> > Full reachability is done in 5 ~30 min ( 2:05 ~4:00)
> >
> > 12 Attack BGP( 20 ~40 min)
> > 12.1 Drawing a BGP topology on a separate paper.( 3 min)
> > 12.2 Determine RR or CON or both to do full-mesh iBGP.
> > See if neighbor peer-group is required,
> > decide ip address ot use bgp session.
> > 12.3 Configure router by router not BGP session-by-session
> > always put no sync and no auto-summary if allowed.
> > 12-4 Spend enough time to be absolutely correct on route-filtering (
> > ACL, prefix-list, as-path filer), route-aggregate(w/ as-set,
> > summary-only, supress-map, attribute-map, advertise-map),
> > route-manipulation( w/as-prepending, med, local-pref, weight,
> > next-hop, advertise-map/non/existing-map, orgin, community, etc )
> > route-dampening, etc.
> > 12-5 vaildate config. Don't just wait for route update afer "clear
ip
> > bgp *" if you want to pass. It would take longer than a minute !!
> >
> > BGP is over in 20 ~40 ( 2:25 ~ 4:40) My target is before lunch!
> >
> > 13 IPv6( 10 min)
> > 13-1 draw a sipmple diagram ( 1 min)
> > 13-2 Watch out link local address over FR multilink.
> > SLA ID is 4th 16bit
> > 16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
> > site-local = FEC0::
> > link-local = fe80::
> > 13-3 Check a full reachability using tcl script or just manual ping
> > depneding on the number router.
> >
> > IPv6 is over 10 min ( total 2:35 ~ 4 :50)
> >
> > ################## Core routing is done ####################
> > I should have at least 3 hours to go at least.
> >
> > Strategy will change depending how much time I have at this moment.
> >
> > 14 I would do multicast first ( 15 min)
> > 14-1 Mark a Mcast topology with red high lighter on OSPF drawing.
> > 14-2 Determine mcast topology ( dense-mode, static RP pim sparse,
> > Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
> > 14-3 Configure router-by-router
> > 14-4 valildate it
> > 14-5 If second part is difficult, skip by making a note.
> >
> > 15 IOS/IP service
> > Be careful not to block or drop any IGP updates
> > 15-1, just check quikcly and do easy one first.
> > 15-2, skip difficult task by making a note
> >
> > 16 QoS
> > Be careful not to block or drop any IGP updates
> > 16-1 Draw a flow on paper instead of in brain.
> > 16-2 Always determine classification method( ACL, NBAR) and
direction.
> > 16-3 Determine shaping vs policing
> > 16-4 Consider all options for queuing( legacy custom/priority,
> > bandwidth/priority, shape average/peak, FRTS/GTS)
> > 16-5 consider all options for policing ( police, rate-limit, ip
> > multicast rate-limit, aggregate police( 3550))
> > 16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn,
> foresight)
> > 16-7 Consider all droping mode (random detect, ecn, tail drop,
> marking, etc)
> >
> > 17 Security
> > Be careful not to block or drop any IGP updates
> > 17-1 Draw a flow on paper instead of in brain.
> > 17-2 Consdier all options for classification
> > std/ext/reflexive/dynamic ACL,
> > IP insepct,
> > tcp intercept
> > unicast RFP,
> > ip accouting output packet /access-violation/precedence,
> >
> > 17-2 When configuring Switchport port-security mac-address, be
careful
> > to include vurtual and physical mac if HSRP is running.
> >
> > 18 DLSW
> > 18.1 Draw a qucik topology ( 1 min)
> > 18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show
> up)
> > Peer on-demand( group/border)
> > Dynamic peering ( dynamic)
> > Loadbalance (round-robin, circuit-count),
> > Back-up ( back-up peer or cost)
> > DSLW use tcp 2065 and udp 2067
> > NAT can affect DLSW ( higher ip DLSW peer drops)
> > 18.3 decide type of filtering
> > 18-3-1 Netbios name filter( netbios access-list host xyz permit zyx
)
> > Icanreach/icannotreach netbios-name /netbiosexclusive
> >
> > 18-3-2 MAC address filer ( access-list 700-799, mac-address
> conevrsion
> > needed )
> > Icanreach/icannotreach mac-address/mac-exclusive( address
> > conversion)
> >
> > 18-3-3 LSAP filter ( access-list 200-299 permit )
> > SNA only "access-list 200 permit 0x0000 0x0d0d"
> > SNA and Netbios " access-list 200 permit 0xf0f0 0x0101
> > Icanreach/icannotreach saps
> > icannotreach saps f0 ( deny netbios)
> >
> >
>
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3