Re: My checklist ( the final armor) for 5 April

From: Amran (amran.gs@gmail.com)
Date: Sun Apr 03 2005 - 16:28:58 GMT-3

Hi

In Jongsoos list he says he has a preference for "router by router"
config rather than "int by int". By doing int by int I can also then
check for connectivity as I go along, whereas router by router
introduces more chances of "overlooking" a connectivity test as there
are more interfaces involved during each router config.

Just wondering the best way to approach this, the pros and cons on both.

Thanks
-A

On Apr 3, 2005 7:34 AM, Jongsoo kim <bstrt2002@gmail.com> wrote:
> Absolutely convinced. Thanks Brian.
>
> Probably, I will post my revision tomorrow when I am in RTP.
>
> Jongsoo
>
> On Apr 3, 2005 1:13 AM, Brian Dennis <bdennis@internetworkexpert.com> wrote:
> > Also you should look at where you have multicast routing enabled and the
> > "flow" of your unicast routing to determine if you have the possibility
> > of RPF failures. This should be one of the first things you do when
> > configuring multicast.
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> >
> > bdennis@internetworkexpert.com
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> > -----Original Message-----
> > From: Jongsoo kim [mailto:bstrt2002@gmail.com]
> > Sent: Saturday, April 02, 2005 9:41 PM
> > To: Brian Dennis
> > Cc: Group Study
> > Subject: Re: My checklist ( the final armor) for 5 April
> >
> > Another execellent tip I didn't even think about Thanks Brian !
> >
> > On Apr 3, 2005 12:03 AM, Brian Dennis <bdennis@internetworkexpert.com>
> > wrote:
> > > Jongsoo,
> > > I didn't notice it in your checklist and I could have
> > overlooked
> > > it but do you have plans to a reachability test when the backup method
> > > is active?
> > >
> > > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > >
> > > bdennis@internetworkexpert.com
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 775-745-6404 (Outside the US and Canada)
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > Jongsoo kim
> > > Sent: Saturday, April 02, 2005 8:50 PM
> > > To: Eric Taylor
> > > Cc: Group Study
> > > Subject: Re: My checklist ( the final armor) for 5 April
> > >
> > > Excellent Eric !
> > > The stuff like " clear ip bgp * soft" is exactly what I am looking
> > > for from study group.
> > >
> > > On Apr 2, 2005 10:41 PM, Eric Taylor <etaylor10@tampabay.rr.com>
> > wrote:
> > > > Nice checklist.
> > > >
> > > > 12-5 vaildate config. Don't just wait for route update afer "clear
> > ip
> > > > bgp *" if you want to pass. It would take longer than a minute !!
> > > >
> > > > Try to use "clear ip bgp * soft" after applying filters.
> > > >
> > > > Good Luck!
> > > >
> > > > Eric
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
> > Of
> > > > Jongsoo kim
> > > > Sent: Saturday, April 02, 2005 9:19 PM
> > > > To: Group Study
> > > > Subject: My checklist ( the final armor) for 5 April
> > > >
> > > > This is my first time when I am making my own checklist.
> > > > I think everyone should make his/her own before CCIE lab !
> > > >
> > > > Bring different color pens and high-lighter
> > > > ( I don't think proctor care about them)
> > > >
> > > > #1 Spend a few minute to understand the point distribution between
> > > > Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service,
> > > > Security, Mcast)
> > > >
> > > > #2 Spend a few minute to understand the topology.
> > > > Figure out core network, stub network, BB
> > > >
> > > > #3 Enter Alias command to notepad and copy paste all router.
> > > > One of my favorite Aliases are
> > > > "show run | b Se"
> > > >
> > > > #3 Attack F/R ( targetting 10~15 min)
> > > > Configure Router by router not interface by interface
> > > > Always 1) enc frame-remay 2) no frame inverse 3) no shut
> > > > Check if spoke to spoke connectivity is required by checking Core
> > IGP
> > > > section.
> > > > ping from spoke to spoke if possible. not hub to spoke.
> > > >
> > > > If PPP over FR, then always create VT first, user/password
> > > >
> > > > #4 Attack CAT ( 15~20 min)
> > > > 4-1 Read task and make VLAN table like below
> > > > VL Router CAT1 CAT2 Router VL
> > > > 10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10
> > > > 20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30
> > > > 40 R5 f0/0 ------f0/5
> > > > 40 R6 f0/1-------f0/6
> > > > f0/23---f0/23
> > > > f0/24---f0/24
> > > > vl 10 vl40
> > > > client vtp server vtp
> > > > 4-2 configure CAT1 and CAT2 and validate
> > > > 4-3 Read task once again and make sure nothing missed
> > > > 4-4 ping vlan by vlan. Select only one device and ping all other on
> > a
> > > > specific vlan.
> > > > No need to ping from multiple interface on a same vlan.
> > > > Don't wait for Arp resolution!
> > > > If PPP over ATM, then always create VT or dialer interface first,
> > then
> > > > user/password
> > > >
> > > > #5 Attack ATM ( I can't spend time if I screwed config. 5~15min )
> > > > Quickly decide PVC vs SVC
> > > > 5-1 If SVC, then decide "CLIP" or "SVC nsap"
> > > > Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to
> > > > vaildate nsap address.
> > > > 5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap"
> > > > And then decide physical or sub
> > > > 5-1-2 if SVC nsap, decide physical or logical
> > > > 5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
> > > > 5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay
> > attention
> > > > nssp is HEX!
> > > > 5-4 ping and validate
> > > >
> > > > L2 is over between 30~50 min ( Worst case = 60 min)
> > > >
> > > > #6 Attack OSPF
> > > > 6-1 Draw a diagram to configure OSPF router by router not area by
> > > area.( 10
> > > > min)
> > > > Check if there are
> > > > authentication
> > > > stub or nssa.
> > > > virtual link
> > > > Make a note on redistribute, summary, area-range.
> > > > Pay attention DR/BDR, OPSF network type
> > > >
> > > > 6-2
> > > > Configure OSPF router by router based on drawing in Black w/ green
> > > > high-lighter( 10~30 min)
> > > > 6-2-1 Always configure Inteface first for 1)OPSF network type
> > based
> > > > on DR/BDR, hello interval, etc 2) Authentication, 3) priority 4)
> > Loop
> > > > interface ospf network type.
> > > > 6-2-2 configure OSPF process in order of 1) router-id, 2) network (
> > > > copy past from interface address), 3) neighbor command
> > > > 6-2-3 Validate everything is working ( 5 min)
> > > >
> > > > 6-3 Do redistribute, summary, area range ( 5 min)
> > > >
> > > > 6-4 avoid any engagement with giant beasts. But make a note.
> > > >
> > > > OSPF is from 25 ~ 45 Min ( total 55 ~1:45)
> > > >
> > > > 7 Attack RIP( 20~30 min)
> > > > It is very tricky!
> > > > 7-1 add RIP topology into OPSF drawing in blue ( 2 min).
> > > > 7-2 Make sure active/passive interface
> > > > Pay attention of rip update method ( M/B/U) and version,
> > > > authentication
> > > > Never assume it is always V2!, no auto-summary, mcast, etc
> > > > This selection can be applied to each direction of interface.
> > > > 7-3 Configure router by router( 5 min) per drawing
> > > > 7-4 valiadte ( 3 min)
> > > > 7-5 Spend enough time to be absolutely correct on route-filter,
> > > > summary, etc ( 5 min)
> > > > 7-6 If mutual-redistribution is required, make sure multi-exit point
> > > > ot single-exit point. Don't fotget metric.
> > > > If it is multi-exit point, write down "rip subnets" on notepad and
> > do
> > > > the following( 5 min)
> > > >
> > > > 7-6-1 "redistribute ospf" under "router rip"
> > > > ##### Protect Rip routes reentering from OSPF ############
> > > > "Deny rip routes and permit all" route-map for "redistribute ospf"
> > to
> > > rip
> > > > Don't wait after "clear ip route * " is issued if I am not "idiot!"
> > > >
> > > > 7-6-2 "redistribute rip subnets" under "router ospf"
> > > > ##### Protect OSPF external routes reentering from Rip #####
> > > > "Permit only rip routes" route-map for "redistribute rip subnets" to
> > > OSPF
> > > > Don't wait after "clear ip route * " is issued if I am not "idiot!"
> > > >
> > > > 7-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
> > > > ##### Fix redistributing router's AD for Rip routes #####
> > > > distance 121 0.0.0.0 255.255.255.255 11
> > > > "access-list 11 permit rip routes"
> > > > I saw sometimes this takes quite a few second. Don't do "clear ip
> > > > OPSF" or I will end up spending more time just for watching.
> > > >
> > > > RIP is over 20 ~30 min( total 1:15 ~ 2:15)
> > > >
> > > > 8 Attack EIGRP ( 20~30min)
> > > > 8-1 add EIGRP topology into OPSF drawing in black w/o high lighter (
> > 2
> > > min).
> > > > 8-2 Determine non/passive/active-eigrp interface. Be open minded
> > that
> > > > BB can be multicast/unicast. Load-balance, authentication, stub,
> > > > summary address( 5 min )
> > > > 8-3 Configure router by router( 5 min) per drawing
> > > > 8-4 validate ( 5 min)
> > > > 8-5 Spend enough time to be absolutely correct on route-filter,
> > > > summary, etc ( 5 min)
> > > > 8-6 If mutual-redistribution is required, make sure multi-exit point
> > > > ot single-exit point.
> > > >
> > > > If it is multi-exit point, write down "eigrp subnets" on notepad ( 5
> > > min)
> > > > 8-6-1"redistribute ospf" under "router eigrp"
> > > > #####Protect EIGRP external route reentering from OSPF #######
> > > > "Deny eigrp routes and permit all" route-map for "redistribute ospf"
> > > to
> > > > eigrp
> > > > Make sure metric is configured.
> > > >
> > > > 8-6-2 "redistribute eigrp subnet" under "router ospf"
> > > > ##### Protect OSPF external routes reentering from EIGRP
> > > > "Only permit eigrp routes" route-map for "redistribute ospf" to
> > eigrp
> > > > Make sure metric is configured.
> > > >
> > > > 8-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
> > > > ##### Fix redistributing router's AD for eigrp external routes #####
> > > > distance 121 0.0.0.0 255.255.255.255 11
> > > > "access-list 11 permit eigrp routes"
> > > > I saw sometimes this takes quite a few second. Don't do "clear ip
> > > > OPSF" or I will end up spending more time just for watching.
> > > > Technically, only eigrp external route needs to be applied but eigrp
> > > > route won't hurt and make it simple.
> > > >
> > > > EIGRP is over in 20~30 min (1:35 ~2:45 min)
> > > >
> > > > 9.Attack ISIS ( 10 min)
> > > > 9-1 add ISIS topology into OPSF drawing in black w/ purple high
> > > > lighter ( 2 min).
> > > > 9-2 determine area type, IS-type, authentication ( domain, area,
> > > > interface level1-2).
> > > > Make sure of correct value of NET ( it is Hex), summary address
> > > > 9-3 Configure router by router.
> > > > 9-4 I don't believe there will be multi-exit mutual redistribution
> > on
> > > ISIS
> > > > Make sure to redistribute connect network from ISIS to OSPF.
> > > >
> > > > ISIS is over in 10~15 min ( 1:45 ~3:00)
> > > >
> > > > 10 Attack ISDN ( 15~30 min)
> > > > 10-1 draw ISDN on a separate paper. ( 30 sec)
> > > > 10-2 Determine single/both callers, authentication type( no
> > > > auth/pap/chap), physical/dialer interface. PPP feature = multilink,
> > > > callback,
> > > > 10-3 Figure out back-up method ( floating static/OSPF demand/watch
> > > > group/back-up interface/rip trriger/ snap-shot routing ) focus on
> > how
> > > > full reachability can be accomplished after F/R failed. Make sure
> > > > link is not flapping.
> > > > 10-4 Determine if there is additional task for interesting traffic
> > > > filtering.
> > > > 10-5 configure ISDN router by router.
> > > > 10-5-1 select switch type, spid and shut and no shut and show isdn
> > > status.
> > > > make sure L2 is happy! Also make a quick test call using both
> > > > string " isdn test call interface bri0/0 "string" " and disconnect "
> > > > isdn test disconnect interface bri0/0 all"
> > > > 10-5-2 validate the link
> > > >
> > > > ISDN is over in 15 ~30 min ( 2:00 ~ 3:30)
> > > >
> > > > 11 Golden Moment ( 5~30 min)
> > > > Check the Golden moment per NMC meaning the exciting moment when you
> > > > get ping response from every router to every router.
> > > > Run tclsh script
> > > > "foreach addr {
> > > > 1.1.1.1
> > > > ...
> > > > } { ping $ addr}"
> > > > Just copy past after tclsh ( it is really cool when you see pings go
> > > > through from everywhere to everywhere). To quit, juts type " tclq"
> > > >
> > > > 11.1 when ping has no response, write down ip address and
> > > troubleshoot.
> > > > Drawing will be the excellent tool for troubleshooting
> > > > Don't bother ISDN link yet.
> > > >
> > > > Full reachability is done in 5 ~30 min ( 2:05 ~4:00)
> > > >
> > > > 12 Attack BGP( 20 ~40 min)
> > > > 12.1 Drawing a BGP topology on a separate paper.( 3 min)
> > > > 12.2 Determine RR or CON or both to do full-mesh iBGP.
> > > > See if neighbor peer-group is required,
> > > > decide ip address ot use bgp session.
> > > > 12.3 Configure router by router not BGP session-by-session
> > > > always put no sync and no auto-summary if allowed.
> > > > 12-4 Spend enough time to be absolutely correct on route-filtering (
> > > > ACL, prefix-list, as-path filer), route-aggregate(w/ as-set,
> > > > summary-only, supress-map, attribute-map, advertise-map),
> > > > route-manipulation( w/as-prepending, med, local-pref, weight,
> > > > next-hop, advertise-map/non/existing-map, orgin, community, etc )
> > > > route-dampening, etc.
> > > > 12-5 vaildate config. Don't just wait for route update afer "clear
> > ip
> > > > bgp *" if you want to pass. It would take longer than a minute !!
> > > >
> > > > BGP is over in 20 ~40 ( 2:25 ~ 4:40) My target is before lunch!
> > > >
> > > > 13 IPv6( 10 min)
> > > > 13-1 draw a sipmple diagram ( 1 min)
> > > > 13-2 Watch out link local address over FR multilink.
> > > > SLA ID is 4th 16bit
> > > > 16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
> > > > site-local = FEC0::
> > > > link-local = fe80::
> > > > 13-3 Check a full reachability using tcl script or just manual ping
> > > > depneding on the number router.
> > > >
> > > > IPv6 is over 10 min ( total 2:35 ~ 4 :50)
> > > >
> > > > ################## Core routing is done ####################
> > > > I should have at least 3 hours to go at least.
> > > >
> > > > Strategy will change depending how much time I have at this moment.
> > > >
> > > > 14 I would do multicast first ( 15 min)
> > > > 14-1 Mark a Mcast topology with red high lighter on OSPF drawing.
> > > > 14-2 Determine mcast topology ( dense-mode, static RP pim sparse,
> > > > Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
> > > > 14-3 Configure router-by-router
> > > > 14-4 valildate it
> > > > 14-5 If second part is difficult, skip by making a note.
> > > >
> > > > 15 IOS/IP service
> > > > Be careful not to block or drop any IGP updates
> > > > 15-1, just check quikcly and do easy one first.
> > > > 15-2, skip difficult task by making a note
> > > >
> > > > 16 QoS
> > > > Be careful not to block or drop any IGP updates
> > > > 16-1 Draw a flow on paper instead of in brain.
> > > > 16-2 Always determine classification method( ACL, NBAR) and
> > direction.
> > > > 16-3 Determine shaping vs policing
> > > > 16-4 Consider all options for queuing( legacy custom/priority,
> > > > bandwidth/priority, shape average/peak, FRTS/GTS)
> > > > 16-5 consider all options for policing ( police, rate-limit, ip
> > > > multicast rate-limit, aggregate police( 3550))
> > > > 16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn,
> > > foresight)
> > > > 16-7 Consider all droping mode (random detect, ecn, tail drop,
> > > marking, etc)
> > > >
> > > > 17 Security
> > > > Be careful not to block or drop any IGP updates
> > > > 17-1 Draw a flow on paper instead of in brain.
> > > > 17-2 Consdier all options for classification
> > > > std/ext/reflexive/dynamic ACL,
> > > > IP insepct,
> > > > tcp intercept
> > > > unicast RFP,
> > > > ip accouting output packet /access-violation/precedence,
> > > >
> > > > 17-2 When configuring Switchport port-security mac-address, be
> > careful
> > > > to include vurtual and physical mac if HSRP is running.
> > > >
> > > > 18 DLSW
> > > > 18.1 Draw a qucik topology ( 1 min)
> > > > 18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show
> > > up)
> > > > Peer on-demand( group/border)
> > > > Dynamic peering ( dynamic)
> > > > Loadbalance (round-robin, circuit-count),
> > > > Back-up ( back-up peer or cost)
> > > > DSLW use tcp 2065 and udp 2067
> > > > NAT can affect DLSW ( higher ip DLSW peer drops)
> > > > 18.3 decide type of filtering
> > > > 18-3-1 Netbios name filter( netbios access-list host xyz permit zyx
> > )
> > > > Icanreach/icannotreach netbios-name /netbiosexclusive
> > > >
> > > > 18-3-2 MAC address filer ( access-list 700-799, mac-address
> > > conevrsion
> > > > needed )
> > > > Icanreach/icannotreach mac-address/mac-exclusive( address
> > > > conversion)
> > > >
> > > > 18-3-3 LSAP filter ( access-list 200-299 permit )
> > > > SNA only "access-list 200 permit 0x0000 0x0d0d"
> > > > SNA and Netbios " access-list 200 permit 0xf0f0 0x0101
> > > > Icanreach/icannotreach saps
> > > > icannotreach saps f0 ( deny netbios)
> > > >
> > > >
> > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3