Re: My checklist #2 revised ( the final armor) for 5 April

From: Ed Lui (edwlui@gmail.com)
Date: Wed May 18 2005 - 19:16:25 GMT-3

Sean,

Okay. So it all depends. I just thought it is ALWAYS NOT allowed. That
means sending a default route to other routers are permitted in some
case. Thanks!

Rik,
Thanks!

Ed

On 5/18/05, Sean C <Upp_and_Upp@hotmail.com> wrote:
> Hi Ed,
>
> W/out breaking and NDAs - the lab will list on the 1st page or two what is
> not allowed (for example - it may dictate that all statics are not allowed).
> But conversely, the lab may not mention if statics are allowed. As always,
> if in doubt, ask the proctor. Jungsoo's list just gives the standard 5 or 6
> ways to use ISDN as a backup solution, but it's up to you to figure what is
> the correct solution.
>
> HTH, Sean
> ----- Original Message -----
> From: "Ed Lui" <edwlui@gmail.com>
> To: <ccielab@groupstudy.com>; <bstrt2002@gmail.com>
> Sent: Wednesday, May 18, 2005 2:33 PM
> Subject: Fwd: My checklist #2 revised ( the final armor) for 5 April
>
> > Read it many times. But have one question to Jongsoo. Are candidates
> > allowed to use floating static routes (see 10-3)? I thought it is not
> > allowed in the lab or it depends.
> >
> > Thanks,
> >
> > Ed Lui
> >
> > ---------- Forwarded message ----------
> > From: Jongsoo kim <bstrt2002@gmail.com>
> > Date: Apr 3, 2005 11:25 PM
> > Subject: My checklist #2 revised ( the final armor) for 5 April
> > To: Group Study <ccielab@groupstudy.com>
> >
> >
> > Folks Thanks for all the excellent feedback .
> >
> > Based on group's feedback and my trial test to see how pratical and
> > efficient my check list,
> > I revised some of them. Also I was advised that I can't bring the outside
> > pens so that I will do coloring with those color pencil available on desk.
> >
> > #1 Spend a few minute to understand the point distribution between
> > Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service,
> > Security, Mcast)
> >
> > #2 Spend a few minute to understand the topology.
> > Figure out core network, stub network, BB
> >
> > #3 Enter Alias command to notepad and copy paste all router.
> > "show run | b Se" ( surprizingly, I didn't use this command after I build
> > drawing because I can find out my sub-interface number from drawing!
> >
> > #3 Attack F/R ( targetting 10~15 min)
> > While reading the task,, Draw a quick diagram showing interface type ( ph,
> > m, p2p).
> > Configure Router by router not interface by interface
> > Always 0) shut 1) enc frame-remay 2) no frame inverse 3) no shut.
> > Ping from spoke to spoke if possible. to vaildate.
> > If PPP over FR, then always create VT first, user/password
> > In this way, I was able to do this in 7 min for 3 pvc's ( each pvc has
> > different interface type).
> >
> > #4 Attack CAT ( 25~35 min)
> > 4-1While reading the task, make VLAN table like below
> > VL Router CAT1 CAT2 Router VL
> > 10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10
> > 20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30
> > 40 R5 f0/0 ------f0/5
> > 40 R6 f0/1-------f0/6
> > f0/23---f0/23
> > f0/24---f0/24
> > vl 10 vl40
> > client vtp server vtp
> > Determine VTP mode, trunk mode.
> > 4-2 Delete vlan data base " delete flash:vlan" before configuring !
> > Then configue 1) VTP, 2) Vlan, 3) cat-cat 4) access port, 4) trunk port
> > 4-3 Read task once again and make sure nothing missed
> > 4-4 ping vlan by vlan. Select only one device and ping all other on a
> > specific vlan.
> >> No need to ping from multiple interface on a same vlan.
> >> Don't wait for Arp resolution!
> > CAT takes about 25 minutes in my scenario ( but real lab would take
> > shorter)
> >
> >>
> >> #5 Attack ATM ( I can spend a lot time if I screwed config. 5~25min )
> >> Quickly decide PVC vs SVC
> >> 5-1 If SVC, then decide "CLIP" or "SVC nsap"
> >> Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to
> >> vaildate nsap address.
> >> 5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap"
> >> And then decide physical or sub
> >> 5-1-2 if SVC nsap, decide physical or logical
> >> 5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
> >> 5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay attention
> >> nssp is HEX!
> > If PPP over ATM, then always create VT or dialer interface first, then
> >> user/password
> >> 5-4 ping and validate
> >
> > ############## L2 is over between 40~1:15
> > ###########################################
> >>
> >> #6 Attack OSPF
> > Based on my test, it was very important the way I write down on paper in
> > order to make router-by-router step work.
> > 6-1 While reading the task, Draw a diagram to configure OSPF router by
> > router not area by area w/ green coloring.( 10 min)
> >> Check if there are
> >> authentication
> >> stub or nssa.
> >> virtual link
> >> Make a note on redistribute, summary, area-range.
> >> Pay attention DR/BDR, OPSF network type
> >
> > Write config separately for interface and ospf on drawing.
> > For example, the below was my note on drawing I made while I am reading
> > task.
> >
> > For R1
> > int s0/0.123
> > p2m, md5,
> > int s0/0.14
> > non-bro, pri 0, md5
> > int f0/0
> > nothing
> >
> > ospf
> > r-id
> > a 0 md5
> > a 12 nssa no-sum, no-red
> > a 13 stub no-sum
> > a 12 v r4 md5
> > a 14 v r2 md5
> > a 5 v r3 md5
> > nei R2
> > neii R3
> > area 5 range
> > summary
> >
> > This method makes configuration time very short but it was extremely
> > important to not forget anything to configure router-by-router as many
> > people pointed out.
> >
> >> 6-2 Configure OSPF router by router based on drawing in Black ( 10~30
> >> min)
> > First Interface and then router ospf
> >> 6-2-1 Preferred sequence for configuring interface was 1)OPSF network
> >> type
> > based, 2) priority, 3) Authentication,
> >> 6-2-2 Preferred sequence for configuring OSPF process was from
> > "easy-to-forget" to "always know" 1) router-id( it seem to only help for
> > Virtual-link, I will skip if there is no Virtual link ) 2) area
> > authentication, 3) area virtual link, 4) neighbor, 5) Network (copy past
> > from interface address)
> >> 6-2-3 Validate everything is working( show ip os ne, show ip os vir, show
> > ip os interface, show ip route ), ( 5 min)
> >
> > Just a note wth this method, I was able to do OSPF among five routers in
> > 15
> > min from drawing to core config not including redistribute/summary/area
> > range. This is my record time.
> > Specially, virtual link config really seems to save time.
> > There isn't much of trap in OSPF like Rip. very easy to validate it as
> > well.
> > If config work, in most case it should be correct...
> >
> > 6-3 Do redistribute, summary, area range ( 5 min)
> > It was necessary to separately treat area range, or summary
> >
> > 6-4 avoid any engagement with giant beasts. But make a note.
> >
> > #####OSPF is from 35 ~ 55 Min ( total 1:15 ~2:10)#######
> >
> >> 7 Attack RIP( 20~30 min)
> >> It is very tricky!
> >> 7-1 add RIP topology into OPSF drawing with blue coloring( 2 min).
> > It seems Rip doesn't really have much detail info on drawing.
> >> 7-2 Make sure active/passive interface
> > WATCH OUT Split-Horizon is off on pfysical FR and ATM !
> >> Pay attention of rip update method ( M/B/U) and version, authentication
> >> Never assume it is always V2!, no auto-summary, mcast, etc
> >> This selection can be applied to each direction of interface.
> >> 7-3 Configure router by router( 5 min) per drawing
> > In fact, core rip configuration is always router by router as rip doesn't
> > have concept of adjacency per link.
> >> 7-4 valiadte ( 3 min)
> >> 7-5 Spend enough time to be absolutely correct on route-filter,
> >> summary, etc ( 5 min)
> >> 7-6 If mutual-redistribution is required, make sure multi-exit point
> >> ot single-exit point. Don't fotget metric.
> >> If it is multi-exit point, write down "rip subnets" on notepad and do
> >> the following( 5 min)
> >> 7-6-1 "redistribute ospf" under "router rip"
> >> ##### Provent Rip-originated routes entering Rip from OSPF ############
> >> "Deny rip routes and permit all" route-map for "redistribute ospf" to rip
> >> Don't wait after "clear ip route * " is issued if I am not "idiot!"
> >>
> >> 7-6-2 "redistribute rip subnets" under "router ospf"
> >> ##### Provent OSPF external routes entering OSPF from Rip #####
> >> "Permit only rip routes" route-map for "redistribute rip subnets" to OSPF
> >> Don't wait after "clear ip route * " is issued if I am not "idiot!"
> >>
> >> 7-6-3 distance 121 0.0.0.0 <http://0.0.0.0>
> > 255.255.255.255<http://255.255.255.255>11 under "router OSPF"
> >> ##### Fix redistributing router's AD for Rip routes #####
> >> distance 121 0.0.0.0 <http://0.0.0.0>
> > 255.255.255.255<http://255.255.255.255>11
> >> "access-list 11 permit rip routes"
> >> I saw sometimes this takes quite a few second. Don't do "clear ip
> >> OPSF" or I will end up spending more time just for watching.
> >>
> > #### RIP is over 20 ~30 min( total 1:35 ~ 2:40) ############
> >>
> >> 8 Attack EIGRP ( 20~30min)
> >> 8-1 While reading the task, add EIGRP topology into OPSF drawing in black
> > w/o blue coloring ( 2 min).
> >> 8-2 Determine non/passive/active-eigrp interface. Be open minded that
> > WATCH OUT Split-Horizon is off on pfysical FR and ATM !
> >> BB can be multicast/unicast. Load-balance, authentication, stub,
> >> summary address( 5 min )
> >> 8-3 Configure router by router( 5 min) per drawing
> >> 8-4 validate ( 5 min)
> >> 8-5 Spend enough time to be absolutely correct on route-filter,
> >> summary, etc ( 5 min)
> >> 8-6 If mutual-redistribution is required, make sure multi-exit point
> >> ot single-exit point.
> >>
> >> If it is multi-exit point, write down "eigrp subnets" on notepad ( 5 min)
> >> 8-6-1"redistribute ospf" under "router eigrp"
> >> #####Protect EIGRP external route reentering from OSPF #######
> >> "Deny eigrp routes and permit all" route-map for "redistribute ospf" to
> > eigrp
> >> Make sure metric is configured.
> >>
> >> 8-6-2 "redistribute eigrp subnet" under "router ospf"
> >> ##### Protect OSPF external routes reentering from EIGRP
> >> "Only permit eigrp routes" route-map for "redistribute ospf" to eigrp
> >> Make sure metric is configured.
> >>
> >> 8-6-3 distance 121 0.0.0.0 <http://0.0.0.0>
> > 255.255.255.255<http://255.255.255.255>11 under "router OSPF"
> >> ##### Fix redistributing router's AD for eigrp external routes #####
> >> distance 121 0.0.0.0 <http://0.0.0.0>
> > 255.255.255.255<http://255.255.255.255>11
> >> "access-list 11 permit eigrp routes"
> >> I saw sometimes this takes quite a few second. Don't do "clear ip
> >> OPSF" or I will end up spending more time just for watching.
> >> Technically, only eigrp external route needs to be applied but eigrp
> >> route won't hurt and make it simple.
> >>
> > ######EIGRP is over in 20~30 min (1:55 ~3:10 min) ##############
> >>
> >> 9.Attack ISIS ( 10 min)
> >> 9-1 While reading the task, add ISIS topology into OPSF drawing in black
> > w/ purple coloring ( 1 min).
> >> 9-2 determine area type, IS-type, authentication ( domain, area,
> >> interface level1-2).
> >> Make sure of correct value of NET ( it is Hex), summary address
> >> 9-3 Configure router by router.
> >> 9-4 I don't believe there will be multi-exit mutual redistribution on
> >> ISIS
> >> Make sure to redistribute connect network from ISIS to OSPF.
> >>
> > ###### ISIS is over in 10~15 min ( 2:05 ~3:25)
> >>
> >> 10 Attack ISDN ( 15~30 min)
> >> 10-1 draw ISDN on a separate paper. ( 30 sec)
> >> 10-2 Determine single/both callers, authentication type( no
> >> auth/pap/chap), physical/dialer interface. PPP feature = multilink,
> >> callback,
> >> 10-3 Figure out back-up method ( floating static/OSPF demand/watch
> >> group/back-up interface/rip trriger/ snap-shot routing ) focus on how
> >> full reachability can be accomplished after F/R failed. Make sure
> >> link is not flapping.
> >> 10-4 Determine if there is additional task for interesting traffic
> > filtering.
> >> 10-5 configure ISDN router by router.
> >> 10-5-1 select switch type, spid and shut and no shut and show isdn
> >> status.
> >> make sure L2 is happy! Also make a quick test call using both
> >> string " isdn test call interface bri0/0 "string" " and disconnect "
> >> isdn test disconnect interface bri0/0 all"
> >> 10-5-2 validate the link
> >>
> > ###### ISDN is over in 15 ~30 min ( 2:20 ~ 3:55)
> >>
> >> 11 Golden Moment ( 5~30 min)
> > 11.1 Test full reachability with ISDN back-up link off
> >> Check the Golden moment per NMC meaning the exciting moment when you
> >> get ping response from every router to every router.
> >> Run tclsh script
> >> "foreach addr {
> >> 1.1.1.1 <http://1.1.1.1>
> >> ...
> >> } { ping $ addr}"
> >> Just copy past after tclsh ( it is really cool when you see pings go
> >> through from everywhere to everywhere). To quit, juts type " tclq"
> >
> > 11.1 Test full reachability with ISDN back-up link on
> > 11.2 when ping has no response, write down ip address and troubleshoot.
> >> Drawing will be the excellent tool for troubleshooting
> >> Don't bother ISDN link yet.
> >>
> > ########### Full reachability is done in 5 ~30 min ( 2:25 ~4:25)
> >
> >> 12 Attack BGP( 20 ~40 min)
> >> 12.1 While reading task, Drawing a BGP topology on a separate paper.( 3
> > min)
> > Drawing is very imnportant in BGP
> > 12.2 Determine RR or CON or both to do full-mesh iBGP.
> >> See if neighbor peer-group is required,
> >> decide ip address ot use bgp session.
> >> 12.3 Configure router by router not BGP session-by-session
> >> always put no sync and no auto-summary if allowed.
> >> 12-4 Spend enough time to be absolutely correct on route-filtering (
> >> ACL, prefix-list, as-path filer), route-aggregate(w/ as-set,
> >> summary-only, supress-map, attribute-map, advertise-map),
> >> route-manipulation( w/as-prepending, med, local-pref, weight,
> >> next-hop, advertise-map/non/existing-map, orgin, community, etc )
> >> route-dampening, etc.
> >> 12-5 vaildate config. Use "clear ip bgp * soft " not " clear ip bgp * and
> > I don't have to wait!
> >>
> > ###### BGP is over in 20 ~40 ( 2:45 ~ 5:05) My target is before lunch!
> >>
> >> 13 IPv6( 10 min)
> >> 13-1 draw a sipmple diagram ( 1 min)
> >> 13-2 Watch out link local address over FR multilink.
> >> SLA ID is 4th 16bit
> >> 16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
> >> site-local = FEC0::
> >> link-local = fe80::
> >> 13-3 Check a full reachability using tcl script or just manual ping
> >> depneding on the number router.
> >>
> >> IPv6 is over 10 min ( total 2:45 ~ 5:15)
> >>
> >> ################## Core routing is done ####################
> >> I should have at least 2:45 hours to go at least.
> >>
> >> Strategy will change depending how much time I have at this moment.
> >>
> >> 14 I would do multicast first ( 15 min)
> >> 14-1 While reading task, mark a Mcast topology with red high lighter on
> > OSPF drawing.
> >> 14-2 Determine mcast topology ( dense-mode, static RP pim sparse,
> >> Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
> > Spot any RFP issue per IGP topology
> >> 14-3 Configure router-by-router
> >> 14-4 valildate it
> >> 14-5 If second part is difficult, skip by making a note.
> > #####Minimum 2:30 left
> >> 15 IOS/IP service ( 25 min)
> >> Be careful not to block or drop any IGP updates
> >> 15-1, just check quikcly and do easy one first.
> >> 15-2, skip difficult task by making a note
> > ###### minimum 2:05 left
> >> 16 QoS ( 30 ~ 40min)
> >> Be careful not to block or drop any IGP updates
> >> 16-1 Draw a flow on paper instead of in brain.
> >> 16-2 Always determine classification method( ACL, NBAR) and direction.
> >> 16-3 Determine shaping vs policing
> >> 16-4 Consider all options for queuing( legacy custom/priority,
> >> bandwidth/priority, shape average/peak, FRTS/GTS)
> >> 16-5 consider all options for policing ( police, rate-limit, ip
> >> multicast rate-limit, aggregate police( 3550))
> >> 16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn,
> > foresight)
> >> 16-7 Consider all droping mode (random detect, ecn, tail drop, marking,
> > etc)
> > ##### minimum 1:25
> >> 17 Security ( 30~40min)
> >> Be careful not to block or drop any IGP updates
> >> 17-1 Draw a flow on paper instead of in brain.
> >> 17-2 Consdier all options for classification
> >> std/ext/reflexive/dynamic ACL,
> >> IP insepct,
> >> tcp intercept
> >> unicast RFP,
> >> ip accouting output packet /access-violation/precedence,
> >> 17-2 When configuring Switchport port-security mac-address, be careful
> >> to include vurtual and physical mac if HSRP is running.
> > ###### minimum 45 min
> >
> >> 18 DLSW( 15 min)
> >> 18.1 Draw a qucik topology ( 1 min)
> >> 18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show up)
> >> Peer on-demand( group/border)
> >> Dynamic peering ( dynamic)
> >> Loadbalance (round-robin, circuit-count),
> >> Back-up ( back-up peer or cost)
> >> DSLW use tcp 2065 and udp 2067
> >> NAT can affect DLSW ( higher ip DLSW peer drops)
> >> 18.3 decide type of filtering
> >> 18-3-1 Netbios name filter( netbios access-list host xyz permit zyx )
> >> Icanreach/icannotreach netbios-name /netbiosexclusive
> >>
> >> 18-3-2 MAC address filer ( access-list 700-799, mac-address conevrsion
> > needed )
> >> Icanreach/icannotreach mac-address/mac-exclusive( address conversion)
> >>
> >> 18-3-3 LSAP filter ( access-list 200-299 permit )
> >> SNA only "access-list 200 permit 0x0000 0x0d0d"
> >> SNA and Netbios " access-list 200 permit 0xf0f0 0x0101
> >> Icanreach/icannotreach saps
> >> icannotreach saps f0 ( deny netbios)
> >>
> > ###### minimum 30 min #############
> > I am planing at least 1:30 hour left.
> > I will do " tcl script " one more time to make sure everything work.
> > I expect 2 ~ 4 question I will skip.
> > At this moment, depending on how much time I have, I quckily go back to
> > the
> > qeustion I skipped.
> > I will invest my time to something I can see best chance of getting right
> > out of the skipped ones.
> > Jongsoo from RTP
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:59 GMT-3