Re: My checklist ( the final armor) for 5 April

From: Jongsoo kim (bstrt2002@gmail.com)
Date: Mon Apr 04 2005 - 01:51:12 GMT-3

Is that really necessary? cause in theory and normal life, reboot
shouldn't make a different...And rebooting is time consuming as well.
When Lab ends, proctor always said "you don't have to save config"
even though I alwasy saved like many other...

I can see if I didn't lock DR selction in OSPF, I can see rebooting
may choose a wrong DR, which can ruin whole igp...

On Apr 4, 2005 12:33 AM, Hoonpongsimanont, Chalermchai
<chalermchai.hoonpongsimanont@atosorigin.com> wrote:
> I would suggest you reboot all routers before 14 and after 18. /David
>
> -----Original Message-----
> From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
> Sent: Monday, April 04, 2005 4:37 AM
> To: Amran
> Cc: Group Study
> Subject: RE: My checklist ( the final armor) for 5 April
>
> Amran,
> It's something of a personal preference. If you are more
> comfortable doing it one way over another then use the method you are
> must comfortable with. Personally I configure networks segment by
> segment rather than router by router. I try and break things down to
> their simplest form and looking at an individual segment be it
> FastEthernet, Frame Relay, ATM, etc is what I find works best. Remember
> that the lab is a lot of relatively simple tasks put together to make
> something more complicated ;-)
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> -----Original Message-----
> From: Amran [mailto:amran.gs@gmail.com]
> Sent: Sunday, April 03, 2005 12:29 PM
> To: Jongsoo kim
> Cc: Brian Dennis; Group Study
> Subject: Re: My checklist ( the final armor) for 5 April
>
> Hi
>
> In Jongsoos list he says he has a preference for "router by router"
> config rather than "int by int". By doing int by int I can also then
> check for connectivity as I go along, whereas router by router
> introduces more chances of "overlooking" a connectivity test as there
> are more interfaces involved during each router config.
>
> Just wondering the best way to approach this, the pros and cons on both.
>
> Thanks
> -A
>
> On Apr 3, 2005 7:34 AM, Jongsoo kim <bstrt2002@gmail.com> wrote:
> > Absolutely convinced. Thanks Brian.
> >
> > Probably, I will post my revision tomorrow when I am in RTP.
> >
> > Jongsoo
> >
> > On Apr 3, 2005 1:13 AM, Brian Dennis <bdennis@internetworkexpert.com>
> wrote:
> > > Also you should look at where you have multicast routing enabled and
> the
> > > "flow" of your unicast routing to determine if you have the
> possibility
> > > of RPF failures. This should be one of the first things you do when
> > > configuring multicast.
> > >
> > > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > >
> > > bdennis@internetworkexpert.com
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 775-745-6404 (Outside the US and Canada)
> > >
> > > -----Original Message-----
> > > From: Jongsoo kim [mailto:bstrt2002@gmail.com]
> > > Sent: Saturday, April 02, 2005 9:41 PM
> > > To: Brian Dennis
> > > Cc: Group Study
> > > Subject: Re: My checklist ( the final armor) for 5 April
> > >
> > > Another execellent tip I didn't even think about Thanks Brian !
> > >
> > > On Apr 3, 2005 12:03 AM, Brian Dennis
> <bdennis@internetworkexpert.com>
> > > wrote:
> > > > Jongsoo,
> > > > I didn't notice it in your checklist and I could have
> > > overlooked
> > > > it but do you have plans to a reachability test when the backup
> method
> > > > is active?
> > > >
> > > > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > > >
> > > > bdennis@internetworkexpert.com
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987
> > > > Direct: 775-745-6404 (Outside the US and Canada)
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > Of
> > > > Jongsoo kim
> > > > Sent: Saturday, April 02, 2005 8:50 PM
> > > > To: Eric Taylor
> > > > Cc: Group Study
> > > > Subject: Re: My checklist ( the final armor) for 5 April
> > > >
> > > > Excellent Eric !
> > > > The stuff like " clear ip bgp * soft" is exactly what I am
> looking
> > > > for from study group.
> > > >
> > > > On Apr 2, 2005 10:41 PM, Eric Taylor <etaylor10@tampabay.rr.com>
> > > wrote:
> > > > > Nice checklist.
> > > > >
> > > > > 12-5 vaildate config. Don't just wait for route update afer
> "clear
> > > ip
> > > > > bgp *" if you want to pass. It would take longer than a minute
> !!
> > > > >
> > > > > Try to use "clear ip bgp * soft" after applying filters.
> > > > >
> > > > > Good Luck!
> > > > >
> > > > > Eric
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
> Behalf
> > > Of
> > > > > Jongsoo kim
> > > > > Sent: Saturday, April 02, 2005 9:19 PM
> > > > > To: Group Study
> > > > > Subject: My checklist ( the final armor) for 5 April
> > > > >
> > > > > This is my first time when I am making my own checklist.
> > > > > I think everyone should make his/her own before CCIE lab !
> > > > >
> > > > > Bring different color pens and high-lighter
> > > > > ( I don't think proctor care about them)
> > > > >
> > > > > #1 Spend a few minute to understand the point distribution
> between
> > > > > Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS,
> Service,
> > > > > Security, Mcast)
> > > > >
> > > > > #2 Spend a few minute to understand the topology.
> > > > > Figure out core network, stub network, BB
> > > > >
> > > > > #3 Enter Alias command to notepad and copy paste all router.
> > > > > One of my favorite Aliases are
> > > > > "show run | b Se"
> > > > >
> > > > > #3 Attack F/R ( targetting 10~15 min)
> > > > > Configure Router by router not interface by interface
> > > > > Always 1) enc frame-remay 2) no frame inverse 3) no shut
> > > > > Check if spoke to spoke connectivity is required by checking
> Core
> > > IGP
> > > > > section.
> > > > > ping from spoke to spoke if possible. not hub to spoke.
> > > > >
> > > > > If PPP over FR, then always create VT first, user/password
> > > > >
> > > > > #4 Attack CAT ( 15~20 min)
> > > > > 4-1 Read task and make VLAN table like below
> > > > > VL Router CAT1 CAT2 Router VL
> > > > > 10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10
> > > > > 20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30
> > > > > 40 R5 f0/0 ------f0/5
> > > > > 40 R6 f0/1-------f0/6
> > > > > f0/23---f0/23
> > > > > f0/24---f0/24
> > > > > vl 10 vl40
> > > > > client vtp server vtp
> > > > > 4-2 configure CAT1 and CAT2 and validate
> > > > > 4-3 Read task once again and make sure nothing missed
> > > > > 4-4 ping vlan by vlan. Select only one device and ping all
> other on
> > > a
> > > > > specific vlan.
> > > > > No need to ping from multiple interface on a same vlan.
> > > > > Don't wait for Arp resolution!
> > > > > If PPP over ATM, then always create VT or dialer interface
> first,
> > > then
> > > > > user/password
> > > > >
> > > > > #5 Attack ATM ( I can't spend time if I screwed config. 5~15min
> )
> > > > > Quickly decide PVC vs SVC
> > > > > 5-1 If SVC, then decide "CLIP" or "SVC nsap"
> > > > > Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm
> ilmi-status" to
> > > > > vaildate nsap address.
> > > > > 5-1-1 if CLIP, then decide "arp-server self" or "arp-server
> nsap"
> > > > > And then decide physical or sub
> > > > > 5-1-2 if SVC nsap, decide physical or logical
> > > > > 5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
> > > > > 5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay
> > > attention
> > > > > nssp is HEX!
> > > > > 5-4 ping and validate
> > > > >
> > > > > L2 is over between 30~50 min ( Worst case = 60 min)
> > > > >
> > > > > #6 Attack OSPF
> > > > > 6-1 Draw a diagram to configure OSPF router by router not area
> by
> > > > area.( 10
> > > > > min)
> > > > > Check if there are
> > > > > authentication
> > > > > stub or nssa.
> > > > > virtual link
> > > > > Make a note on redistribute, summary, area-range.
> > > > > Pay attention DR/BDR, OPSF network type
> > > > >
> > > > > 6-2
> > > > > Configure OSPF router by router based on drawing in Black w/
> green
> > > > > high-lighter( 10~30 min)
> > > > > 6-2-1 Always configure Inteface first for 1)OPSF network type
> > > based
> > > > > on DR/BDR, hello interval, etc 2) Authentication, 3) priority 4)
> > > Loop
> > > > > interface ospf network type.
> > > > > 6-2-2 configure OSPF process in order of 1) router-id, 2)
> network (
> > > > > copy past from interface address), 3) neighbor command
> > > > > 6-2-3 Validate everything is working ( 5 min)
> > > > >
> > > > > 6-3 Do redistribute, summary, area range ( 5 min)
> > > > >
> > > > > 6-4 avoid any engagement with giant beasts. But make a note.
> > > > >
> > > > > OSPF is from 25 ~ 45 Min ( total 55 ~1:45)
> > > > >
> > > > > 7 Attack RIP( 20~30 min)
> > > > > It is very tricky!
> > > > > 7-1 add RIP topology into OPSF drawing in blue ( 2 min).
> > > > > 7-2 Make sure active/passive interface
> > > > > Pay attention of rip update method ( M/B/U) and version,
> > > > > authentication
> > > > > Never assume it is always V2!, no auto-summary, mcast, etc
> > > > > This selection can be applied to each direction of
> interface.
> > > > > 7-3 Configure router by router( 5 min) per drawing
> > > > > 7-4 valiadte ( 3 min)
> > > > > 7-5 Spend enough time to be absolutely correct on route-filter,
> > > > > summary, etc ( 5 min)
> > > > > 7-6 If mutual-redistribution is required, make sure multi-exit
> point
> > > > > ot single-exit point. Don't fotget metric.
> > > > > If it is multi-exit point, write down "rip subnets" on notepad
> and
> > > do
> > > > > the following( 5 min)
> > > > >
> > > > > 7-6-1 "redistribute ospf" under "router rip"
> > > > > ##### Protect Rip routes reentering from OSPF ############
> > > > > "Deny rip routes and permit all" route-map for "redistribute
> ospf"
> > > to
> > > > rip
> > > > > Don't wait after "clear ip route * " is issued if I am not
> "idiot!"
> > > > >
> > > > > 7-6-2 "redistribute rip subnets" under "router ospf"
> > > > > ##### Protect OSPF external routes reentering from Rip #####
> > > > > "Permit only rip routes" route-map for "redistribute rip
> subnets" to
> > > > OSPF
> > > > > Don't wait after "clear ip route * " is issued if I am not
> "idiot!"
> > > > >
> > > > > 7-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router
> OSPF"
> > > > > ##### Fix redistributing router's AD for Rip routes #####
> > > > > distance 121 0.0.0.0 255.255.255.255 11
> > > > > "access-list 11 permit rip routes"
> > > > > I saw sometimes this takes quite a few second. Don't do "clear
> ip
> > > > > OPSF" or I will end up spending more time just for watching.
> > > > >
> > > > > RIP is over 20 ~30 min( total 1:15 ~ 2:15)
> > > > >
> > > > > 8 Attack EIGRP ( 20~30min)
> > > > > 8-1 add EIGRP topology into OPSF drawing in black w/o high
> lighter (
> > > 2
> > > > min).
> > > > > 8-2 Determine non/passive/active-eigrp interface. Be open minded
> > > that
> > > > > BB can be multicast/unicast. Load-balance, authentication,
> stub,
> > > > > summary address( 5 min )
> > > > > 8-3 Configure router by router( 5 min) per drawing
> > > > > 8-4 validate ( 5 min)
> > > > > 8-5 Spend enough time to be absolutely correct on route-filter,
> > > > > summary, etc ( 5 min)
> > > > > 8-6 If mutual-redistribution is required, make sure multi-exit
> point
> > > > > ot single-exit point.
> > > > >
> > > > > If it is multi-exit point, write down "eigrp subnets" on notepad
> ( 5
> > > > min)
> > > > > 8-6-1"redistribute ospf" under "router eigrp"
> > > > > #####Protect EIGRP external route reentering from OSPF #######
> > > > > "Deny eigrp routes and permit all" route-map for "redistribute
> ospf"
> > > > to
> > > > > eigrp
> > > > > Make sure metric is configured.
> > > > >
> > > > > 8-6-2 "redistribute eigrp subnet" under "router ospf"
> > > > > ##### Protect OSPF external routes reentering from EIGRP
> > > > > "Only permit eigrp routes" route-map for "redistribute ospf" to
> > > eigrp
> > > > > Make sure metric is configured.
> > > > >
> > > > > 8-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router
> OSPF"
> > > > > ##### Fix redistributing router's AD for eigrp external routes
> #####
> > > > > distance 121 0.0.0.0 255.255.255.255 11
> > > > > "access-list 11 permit eigrp routes"
> > > > > I saw sometimes this takes quite a few second. Don't do "clear
> ip
> > > > > OPSF" or I will end up spending more time just for watching.
> > > > > Technically, only eigrp external route needs to be applied but
> eigrp
> > > > > route won't hurt and make it simple.
> > > > >
> > > > > EIGRP is over in 20~30 min (1:35 ~2:45 min)
> > > > >
> > > > > 9.Attack ISIS ( 10 min)
> > > > > 9-1 add ISIS topology into OPSF drawing in black w/ purple high
> > > > > lighter ( 2 min).
> > > > > 9-2 determine area type, IS-type, authentication ( domain, area,
> > > > > interface level1-2).
> > > > > Make sure of correct value of NET ( it is Hex), summary
> address
> > > > > 9-3 Configure router by router.
> > > > > 9-4 I don't believe there will be multi-exit mutual
> redistribution
> > > on
> > > > ISIS
> > > > > Make sure to redistribute connect network from ISIS to OSPF.
> > > > >
> > > > > ISIS is over in 10~15 min ( 1:45 ~3:00)
> > > > >
> > > > > 10 Attack ISDN ( 15~30 min)
> > > > > 10-1 draw ISDN on a separate paper. ( 30 sec)
> > > > > 10-2 Determine single/both callers, authentication type( no
> > > > > auth/pap/chap), physical/dialer interface. PPP feature =
> multilink,
> > > > > callback,
> > > > > 10-3 Figure out back-up method ( floating static/OSPF
> demand/watch
> > > > > group/back-up interface/rip trriger/ snap-shot routing ) focus
> on
> > > how
> > > > > full reachability can be accomplished after F/R failed. Make
> sure
> > > > > link is not flapping.
> > > > > 10-4 Determine if there is additional task for interesting
> traffic
> > > > > filtering.
> > > > > 10-5 configure ISDN router by router.
> > > > > 10-5-1 select switch type, spid and shut and no shut and show
> isdn
> > > > status.
> > > > > make sure L2 is happy! Also make a quick test call using
> both
> > > > > string " isdn test call interface bri0/0 "string" " and
> disconnect "
> > > > > isdn test disconnect interface bri0/0 all"
> > > > > 10-5-2 validate the link
> > > > >
> > > > > ISDN is over in 15 ~30 min ( 2:00 ~ 3:30)
> > > > >
> > > > > 11 Golden Moment ( 5~30 min)
> > > > > Check the Golden moment per NMC meaning the exciting moment when
> you
> > > > > get ping response from every router to every router.
> > > > > Run tclsh script
> > > > > "foreach addr {
> > > > > 1.1.1.1
> > > > > ...
> > > > > } { ping $ addr}"
> > > > > Just copy past after tclsh ( it is really cool when you see
> pings go
> > > > > through from everywhere to everywhere). To quit, juts type "
> tclq"
> > > > >
> > > > > 11.1 when ping has no response, write down ip address and
> > > > troubleshoot.
> > > > > Drawing will be the excellent tool for troubleshooting
> > > > > Don't bother ISDN link yet.
> > > > >
> > > > > Full reachability is done in 5 ~30 min ( 2:05 ~4:00)
> > > > >
> > > > > 12 Attack BGP( 20 ~40 min)
> > > > > 12.1 Drawing a BGP topology on a separate paper.( 3 min)
> > > > > 12.2 Determine RR or CON or both to do full-mesh iBGP.
> > > > > See if neighbor peer-group is required,
> > > > > decide ip address ot use bgp session.
> > > > > 12.3 Configure router by router not BGP session-by-session
> > > > > always put no sync and no auto-summary if allowed.
> > > > > 12-4 Spend enough time to be absolutely correct on
> route-filtering (
> > > > > ACL, prefix-list, as-path filer), route-aggregate(w/ as-set,
> > > > > summary-only, supress-map, attribute-map, advertise-map),
> > > > > route-manipulation( w/as-prepending, med, local-pref, weight,
> > > > > next-hop, advertise-map/non/existing-map, orgin, community, etc
> )
> > > > > route-dampening, etc.
> > > > > 12-5 vaildate config. Don't just wait for route update afer
> "clear
> > > ip
> > > > > bgp *" if you want to pass. It would take longer than a minute
> !!
> > > > >
> > > > > BGP is over in 20 ~40 ( 2:25 ~ 4:40) My target is before lunch!
> > > > >
> > > > > 13 IPv6( 10 min)
> > > > > 13-1 draw a sipmple diagram ( 1 min)
> > > > > 13-2 Watch out link local address over FR multilink.
> > > > > SLA ID is 4th 16bit
> > > > > 16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64
> bits)
> > > > > site-local = FEC0::
> > > > > link-local = fe80::
> > > > > 13-3 Check a full reachability using tcl script or just manual
> ping
> > > > > depneding on the number router.
> > > > >
> > > > > IPv6 is over 10 min ( total 2:35 ~ 4 :50)
> > > > >
> > > > > ################## Core routing is done ####################
> > > > > I should have at least 3 hours to go at least.
> > > > >
> > > > > Strategy will change depending how much time I have at this
> moment.
> > > > >
> > > > > 14 I would do multicast first ( 15 min)
> > > > > 14-1 Mark a Mcast topology with red high lighter on OSPF
> drawing.
> > > > > 14-2 Determine mcast topology ( dense-mode, static RP pim
> sparse,
> > > > > Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
> > > > > 14-3 Configure router-by-router
> > > > > 14-4 valildate it
> > > > > 14-5 If second part is difficult, skip by making a note.
> > > > >
> > > > > 15 IOS/IP service
> > > > > Be careful not to block or drop any IGP updates
> > > > > 15-1, just check quikcly and do easy one first.
> > > > > 15-2, skip difficult task by making a note
> > > > >
> > > > > 16 QoS
> > > > > Be careful not to block or drop any IGP updates
> > > > > 16-1 Draw a flow on paper instead of in brain.
> > > > > 16-2 Always determine classification method( ACL, NBAR) and
> > > direction.
> > > > > 16-3 Determine shaping vs policing
> > > > > 16-4 Consider all options for queuing( legacy custom/priority,
> > > > > bandwidth/priority, shape average/peak, FRTS/GTS)
> > > > > 16-5 consider all options for policing ( police, rate-limit, ip
> > > > > multicast rate-limit, aggregate police( 3550))
> > > > > 16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn,
> > > > foresight)
> > > > > 16-7 Consider all droping mode (random detect, ecn, tail drop,
> > > > marking, etc)
> > > > >
> > > > > 17 Security
> > > > > Be careful not to block or drop any IGP updates
> > > > > 17-1 Draw a flow on paper instead of in brain.
> > > > > 17-2 Consdier all options for classification
> > > > > std/ext/reflexive/dynamic ACL,
> > > > > IP insepct,
> > > > > tcp intercept
> > > > > unicast RFP,
> > > > > ip accouting output packet /access-violation/precedence,
> > > > >
> > > > > 17-2 When configuring Switchport port-security mac-address, be
> > > careful
> > > > > to include vurtual and physical mac if HSRP is running.
> > > > >
> > > > > 18 DLSW
> > > > > 18.1 Draw a qucik topology ( 1 min)
> > > > > 18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will
> show
> > > > up)
> > > > > Peer on-demand( group/border)
> > > > > Dynamic peering ( dynamic)
> > > > > Loadbalance (round-robin, circuit-count),
> > > > > Back-up ( back-up peer or cost)
> > > > > DSLW use tcp 2065 and udp 2067
> > > > > NAT can affect DLSW ( higher ip DLSW peer drops)
> > > > > 18.3 decide type of filtering
> > > > > 18-3-1 Netbios name filter( netbios access-list host xyz permit
> zyx
> > > )
> > > > > Icanreach/icannotreach netbios-name /netbiosexclusive
> > > > >
> > > > > 18-3-2 MAC address filer ( access-list 700-799, mac-address
> > > > conevrsion
> > > > > needed )
> > > > > Icanreach/icannotreach mac-address/mac-exclusive(
> address
> > > > > conversion)
> > > > >
> > > > > 18-3-3 LSAP filter ( access-list 200-299 permit )
> > > > > SNA only "access-list 200 permit 0x0000 0x0d0d"
> > > > > SNA and Netbios " access-list 200 permit 0xf0f0
> 0x0101
> > > > > Icanreach/icannotreach saps
> > > > > icannotreach saps f0 ( deny netbios)
> > > > >
> > > > >
> > > >
> > >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3