Re: My checklist ( the final armor) for 5 April

From: Jongsoo kim (bstrt2002@gmail.com)
Date: Sun Apr 03 2005 - 02:41:26 GMT-3

Another execellent tip I didn't even think about Thanks Brian !

On Apr 3, 2005 12:03 AM, Brian Dennis <bdennis@internetworkexpert.com> wrote:
> Jongsoo,
> I didn't notice it in your checklist and I could have overlooked
> it but do you have plans to a reachability test when the backup method
> is active?
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Jongsoo kim
> Sent: Saturday, April 02, 2005 8:50 PM
> To: Eric Taylor
> Cc: Group Study
> Subject: Re: My checklist ( the final armor) for 5 April
>
> Excellent Eric !
> The stuff like " clear ip bgp * soft" is exactly what I am looking
> for from study group.
>
> On Apr 2, 2005 10:41 PM, Eric Taylor <etaylor10@tampabay.rr.com> wrote:
> > Nice checklist.
> >
> > 12-5 vaildate config. Don't just wait for route update afer "clear ip
> > bgp *" if you want to pass. It would take longer than a minute !!
> >
> > Try to use "clear ip bgp * soft" after applying filters.
> >
> > Good Luck!
> >
> > Eric
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Jongsoo kim
> > Sent: Saturday, April 02, 2005 9:19 PM
> > To: Group Study
> > Subject: My checklist ( the final armor) for 5 April
> >
> > This is my first time when I am making my own checklist.
> > I think everyone should make his/her own before CCIE lab !
> >
> > Bring different color pens and high-lighter
> > ( I don't think proctor care about them)
> >
> > #1 Spend a few minute to understand the point distribution between
> > Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service,
> > Security, Mcast)
> >
> > #2 Spend a few minute to understand the topology.
> > Figure out core network, stub network, BB
> >
> > #3 Enter Alias command to notepad and copy paste all router.
> > One of my favorite Aliases are
> > "show run | b Se"
> >
> > #3 Attack F/R ( targetting 10~15 min)
> > Configure Router by router not interface by interface
> > Always 1) enc frame-remay 2) no frame inverse 3) no shut
> > Check if spoke to spoke connectivity is required by checking Core IGP
> > section.
> > ping from spoke to spoke if possible. not hub to spoke.
> >
> > If PPP over FR, then always create VT first, user/password
> >
> > #4 Attack CAT ( 15~20 min)
> > 4-1 Read task and make VLAN table like below
> > VL Router CAT1 CAT2 Router VL
> > 10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10
> > 20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30
> > 40 R5 f0/0 ------f0/5
> > 40 R6 f0/1-------f0/6
> > f0/23---f0/23
> > f0/24---f0/24
> > vl 10 vl40
> > client vtp server vtp
> > 4-2 configure CAT1 and CAT2 and validate
> > 4-3 Read task once again and make sure nothing missed
> > 4-4 ping vlan by vlan. Select only one device and ping all other on a
> > specific vlan.
> > No need to ping from multiple interface on a same vlan.
> > Don't wait for Arp resolution!
> > If PPP over ATM, then always create VT or dialer interface first, then
> > user/password
> >
> > #5 Attack ATM ( I can't spend time if I screwed config. 5~15min )
> > Quickly decide PVC vs SVC
> > 5-1 If SVC, then decide "CLIP" or "SVC nsap"
> > Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to
> > vaildate nsap address.
> > 5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap"
> > And then decide physical or sub
> > 5-1-2 if SVC nsap, decide physical or logical
> > 5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
> > 5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay attention
> > nssp is HEX!
> > 5-4 ping and validate
> >
> > L2 is over between 30~50 min ( Worst case = 60 min)
> >
> > #6 Attack OSPF
> > 6-1 Draw a diagram to configure OSPF router by router not area by
> area.( 10
> > min)
> > Check if there are
> > authentication
> > stub or nssa.
> > virtual link
> > Make a note on redistribute, summary, area-range.
> > Pay attention DR/BDR, OPSF network type
> >
> > 6-2
> > Configure OSPF router by router based on drawing in Black w/ green
> > high-lighter( 10~30 min)
> > 6-2-1 Always configure Inteface first for 1)OPSF network type based
> > on DR/BDR, hello interval, etc 2) Authentication, 3) priority 4) Loop
> > interface ospf network type.
> > 6-2-2 configure OSPF process in order of 1) router-id, 2) network (
> > copy past from interface address), 3) neighbor command
> > 6-2-3 Validate everything is working ( 5 min)
> >
> > 6-3 Do redistribute, summary, area range ( 5 min)
> >
> > 6-4 avoid any engagement with giant beasts. But make a note.
> >
> > OSPF is from 25 ~ 45 Min ( total 55 ~1:45)
> >
> > 7 Attack RIP( 20~30 min)
> > It is very tricky!
> > 7-1 add RIP topology into OPSF drawing in blue ( 2 min).
> > 7-2 Make sure active/passive interface
> > Pay attention of rip update method ( M/B/U) and version,
> > authentication
> > Never assume it is always V2!, no auto-summary, mcast, etc
> > This selection can be applied to each direction of interface.
> > 7-3 Configure router by router( 5 min) per drawing
> > 7-4 valiadte ( 3 min)
> > 7-5 Spend enough time to be absolutely correct on route-filter,
> > summary, etc ( 5 min)
> > 7-6 If mutual-redistribution is required, make sure multi-exit point
> > ot single-exit point. Don't fotget metric.
> > If it is multi-exit point, write down "rip subnets" on notepad and do
> > the following( 5 min)
> >
> > 7-6-1 "redistribute ospf" under "router rip"
> > ##### Protect Rip routes reentering from OSPF ############
> > "Deny rip routes and permit all" route-map for "redistribute ospf" to
> rip
> > Don't wait after "clear ip route * " is issued if I am not "idiot!"
> >
> > 7-6-2 "redistribute rip subnets" under "router ospf"
> > ##### Protect OSPF external routes reentering from Rip #####
> > "Permit only rip routes" route-map for "redistribute rip subnets" to
> OSPF
> > Don't wait after "clear ip route * " is issued if I am not "idiot!"
> >
> > 7-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
> > ##### Fix redistributing router's AD for Rip routes #####
> > distance 121 0.0.0.0 255.255.255.255 11
> > "access-list 11 permit rip routes"
> > I saw sometimes this takes quite a few second. Don't do "clear ip
> > OPSF" or I will end up spending more time just for watching.
> >
> > RIP is over 20 ~30 min( total 1:15 ~ 2:15)
> >
> > 8 Attack EIGRP ( 20~30min)
> > 8-1 add EIGRP topology into OPSF drawing in black w/o high lighter ( 2
> min).
> > 8-2 Determine non/passive/active-eigrp interface. Be open minded that
> > BB can be multicast/unicast. Load-balance, authentication, stub,
> > summary address( 5 min )
> > 8-3 Configure router by router( 5 min) per drawing
> > 8-4 validate ( 5 min)
> > 8-5 Spend enough time to be absolutely correct on route-filter,
> > summary, etc ( 5 min)
> > 8-6 If mutual-redistribution is required, make sure multi-exit point
> > ot single-exit point.
> >
> > If it is multi-exit point, write down "eigrp subnets" on notepad ( 5
> min)
> > 8-6-1"redistribute ospf" under "router eigrp"
> > #####Protect EIGRP external route reentering from OSPF #######
> > "Deny eigrp routes and permit all" route-map for "redistribute ospf"
> to
> > eigrp
> > Make sure metric is configured.
> >
> > 8-6-2 "redistribute eigrp subnet" under "router ospf"
> > ##### Protect OSPF external routes reentering from EIGRP
> > "Only permit eigrp routes" route-map for "redistribute ospf" to eigrp
> > Make sure metric is configured.
> >
> > 8-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
> > ##### Fix redistributing router's AD for eigrp external routes #####
> > distance 121 0.0.0.0 255.255.255.255 11
> > "access-list 11 permit eigrp routes"
> > I saw sometimes this takes quite a few second. Don't do "clear ip
> > OPSF" or I will end up spending more time just for watching.
> > Technically, only eigrp external route needs to be applied but eigrp
> > route won't hurt and make it simple.
> >
> > EIGRP is over in 20~30 min (1:35 ~2:45 min)
> >
> > 9.Attack ISIS ( 10 min)
> > 9-1 add ISIS topology into OPSF drawing in black w/ purple high
> > lighter ( 2 min).
> > 9-2 determine area type, IS-type, authentication ( domain, area,
> > interface level1-2).
> > Make sure of correct value of NET ( it is Hex), summary address
> > 9-3 Configure router by router.
> > 9-4 I don't believe there will be multi-exit mutual redistribution on
> ISIS
> > Make sure to redistribute connect network from ISIS to OSPF.
> >
> > ISIS is over in 10~15 min ( 1:45 ~3:00)
> >
> > 10 Attack ISDN ( 15~30 min)
> > 10-1 draw ISDN on a separate paper. ( 30 sec)
> > 10-2 Determine single/both callers, authentication type( no
> > auth/pap/chap), physical/dialer interface. PPP feature = multilink,
> > callback,
> > 10-3 Figure out back-up method ( floating static/OSPF demand/watch
> > group/back-up interface/rip trriger/ snap-shot routing ) focus on how
> > full reachability can be accomplished after F/R failed. Make sure
> > link is not flapping.
> > 10-4 Determine if there is additional task for interesting traffic
> > filtering.
> > 10-5 configure ISDN router by router.
> > 10-5-1 select switch type, spid and shut and no shut and show isdn
> status.
> > make sure L2 is happy! Also make a quick test call using both
> > string " isdn test call interface bri0/0 "string" " and disconnect "
> > isdn test disconnect interface bri0/0 all"
> > 10-5-2 validate the link
> >
> > ISDN is over in 15 ~30 min ( 2:00 ~ 3:30)
> >
> > 11 Golden Moment ( 5~30 min)
> > Check the Golden moment per NMC meaning the exciting moment when you
> > get ping response from every router to every router.
> > Run tclsh script
> > "foreach addr {
> > 1.1.1.1
> > ...
> > } { ping $ addr}"
> > Just copy past after tclsh ( it is really cool when you see pings go
> > through from everywhere to everywhere). To quit, juts type " tclq"
> >
> > 11.1 when ping has no response, write down ip address and
> troubleshoot.
> > Drawing will be the excellent tool for troubleshooting
> > Don't bother ISDN link yet.
> >
> > Full reachability is done in 5 ~30 min ( 2:05 ~4:00)
> >
> > 12 Attack BGP( 20 ~40 min)
> > 12.1 Drawing a BGP topology on a separate paper.( 3 min)
> > 12.2 Determine RR or CON or both to do full-mesh iBGP.
> > See if neighbor peer-group is required,
> > decide ip address ot use bgp session.
> > 12.3 Configure router by router not BGP session-by-session
> > always put no sync and no auto-summary if allowed.
> > 12-4 Spend enough time to be absolutely correct on route-filtering (
> > ACL, prefix-list, as-path filer), route-aggregate(w/ as-set,
> > summary-only, supress-map, attribute-map, advertise-map),
> > route-manipulation( w/as-prepending, med, local-pref, weight,
> > next-hop, advertise-map/non/existing-map, orgin, community, etc )
> > route-dampening, etc.
> > 12-5 vaildate config. Don't just wait for route update afer "clear ip
> > bgp *" if you want to pass. It would take longer than a minute !!
> >
> > BGP is over in 20 ~40 ( 2:25 ~ 4:40) My target is before lunch!
> >
> > 13 IPv6( 10 min)
> > 13-1 draw a sipmple diagram ( 1 min)
> > 13-2 Watch out link local address over FR multilink.
> > SLA ID is 4th 16bit
> > 16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
> > site-local = FEC0::
> > link-local = fe80::
> > 13-3 Check a full reachability using tcl script or just manual ping
> > depneding on the number router.
> >
> > IPv6 is over 10 min ( total 2:35 ~ 4 :50)
> >
> > ################## Core routing is done ####################
> > I should have at least 3 hours to go at least.
> >
> > Strategy will change depending how much time I have at this moment.
> >
> > 14 I would do multicast first ( 15 min)
> > 14-1 Mark a Mcast topology with red high lighter on OSPF drawing.
> > 14-2 Determine mcast topology ( dense-mode, static RP pim sparse,
> > Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
> > 14-3 Configure router-by-router
> > 14-4 valildate it
> > 14-5 If second part is difficult, skip by making a note.
> >
> > 15 IOS/IP service
> > Be careful not to block or drop any IGP updates
> > 15-1, just check quikcly and do easy one first.
> > 15-2, skip difficult task by making a note
> >
> > 16 QoS
> > Be careful not to block or drop any IGP updates
> > 16-1 Draw a flow on paper instead of in brain.
> > 16-2 Always determine classification method( ACL, NBAR) and direction.
> > 16-3 Determine shaping vs policing
> > 16-4 Consider all options for queuing( legacy custom/priority,
> > bandwidth/priority, shape average/peak, FRTS/GTS)
> > 16-5 consider all options for policing ( police, rate-limit, ip
> > multicast rate-limit, aggregate police( 3550))
> > 16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn,
> foresight)
> > 16-7 Consider all droping mode (random detect, ecn, tail drop,
> marking, etc)
> >
> > 17 Security
> > Be careful not to block or drop any IGP updates
> > 17-1 Draw a flow on paper instead of in brain.
> > 17-2 Consdier all options for classification
> > std/ext/reflexive/dynamic ACL,
> > IP insepct,
> > tcp intercept
> > unicast RFP,
> > ip accouting output packet /access-violation/precedence,
> >
> > 17-2 When configuring Switchport port-security mac-address, be careful
> > to include vurtual and physical mac if HSRP is running.
> >
> > 18 DLSW
> > 18.1 Draw a qucik topology ( 1 min)
> > 18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show
> up)
> > Peer on-demand( group/border)
> > Dynamic peering ( dynamic)
> > Loadbalance (round-robin, circuit-count),
> > Back-up ( back-up peer or cost)
> > DSLW use tcp 2065 and udp 2067
> > NAT can affect DLSW ( higher ip DLSW peer drops)
> > 18.3 decide type of filtering
> > 18-3-1 Netbios name filter( netbios access-list host xyz permit zyx )
> > Icanreach/icannotreach netbios-name /netbiosexclusive
> >
> > 18-3-2 MAC address filer ( access-list 700-799, mac-address
> conevrsion
> > needed )
> > Icanreach/icannotreach mac-address/mac-exclusive( address
> > conversion)
> >
> > 18-3-3 LSAP filter ( access-list 200-299 permit )
> > SNA only "access-list 200 permit 0x0000 0x0d0d"
> > SNA and Netbios " access-list 200 permit 0xf0f0 0x0101
> > Icanreach/icannotreach saps
> > icannotreach saps f0 ( deny netbios)
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3