Re: My checklist #2 revised ( the final armor) for 5 April

From: Jongsoo kim (bstrt2002@gmail.com)
Date: Wed May 18 2005 - 19:45:02 GMT-3

In general, any exception to overall rule of "what's not allowed" is
specifically mentioned and limited in a task.
In case of floating route, I can imagine a task of saying "a static route is
allowed to only router 1 to accomplish this task", which is also common task
statement in any workbook.
 HTH
  Jongsoo

 On 5/18/05, Ed Lui <edwlui@gmail.com> wrote:
>
> Sean,
>
> Okay. So it all depends. I just thought it is ALWAYS NOT allowed. That
> means sending a default route to other routers are permitted in some
> case. Thanks!
>
> Rik,
> Thanks!
>
> Ed
>
> On 5/18/05, Sean C <Upp_and_Upp@hotmail.com> wrote:
> > Hi Ed,
> >
> > W/out breaking and NDAs - the lab will list on the 1st page or two what
> is
> > not allowed (for example - it may dictate that all statics are not
> allowed).
> > But conversely, the lab may not mention if statics are allowed. As
> always,
> > if in doubt, ask the proctor. Jungsoo's list just gives the standard 5
> or 6
> > ways to use ISDN as a backup solution, but it's up to you to figure what
> is
> > the correct solution.
> >
> > HTH, Sean
> > ----- Original Message -----
> > From: "Ed Lui" <edwlui@gmail.com>
> > To: <ccielab@groupstudy.com>; <bstrt2002@gmail.com>
> > Sent: Wednesday, May 18, 2005 2:33 PM
> > Subject: Fwd: My checklist #2 revised ( the final armor) for 5 April
> >
> > > Read it many times. But have one question to Jongsoo. Are candidates
> > > allowed to use floating static routes (see 10-3)? I thought it is not
> > > allowed in the lab or it depends.
> > >
> > > Thanks,
> > >
> > > Ed Lui
> > >
> > > ---------- Forwarded message ----------
> > > From: Jongsoo kim <bstrt2002@gmail.com>
> > > Date: Apr 3, 2005 11:25 PM
> > > Subject: My checklist #2 revised ( the final armor) for 5 April
> > > To: Group Study <ccielab@groupstudy.com>
> > >
> > >
> > > Folks Thanks for all the excellent feedback .
> > >
> > > Based on group's feedback and my trial test to see how pratical and
> > > efficient my check list,
> > > I revised some of them. Also I was advised that I can't bring the
> outside
> > > pens so that I will do coloring with those color pencil available on
> desk.
> > >
> > > #1 Spend a few minute to understand the point distribution between
> > > Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service,
> > > Security, Mcast)
> > >
> > > #2 Spend a few minute to understand the topology.
> > > Figure out core network, stub network, BB
> > >
> > > #3 Enter Alias command to notepad and copy paste all router.
> > > "show run | b Se" ( surprizingly, I didn't use this command after I
> build
> > > drawing because I can find out my sub-interface number from drawing!
> > >
> > > #3 Attack F/R ( targetting 10~15 min)
> > > While reading the task,, Draw a quick diagram showing interface type (
> ph,
> > > m, p2p).
> > > Configure Router by router not interface by interface
> > > Always 0) shut 1) enc frame-remay 2) no frame inverse 3) no shut.
> > > Ping from spoke to spoke if possible. to vaildate.
> > > If PPP over FR, then always create VT first, user/password
> > > In this way, I was able to do this in 7 min for 3 pvc's ( each pvc has
> > > different interface type).
> > >
> > > #4 Attack CAT ( 25~35 min)
> > > 4-1While reading the task, make VLAN table like below
> > > VL Router CAT1 CAT2 Router VL
> > > 10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10
> > > 20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30
> > > 40 R5 f0/0 ------f0/5
> > > 40 R6 f0/1-------f0/6
> > > f0/23---f0/23
> > > f0/24---f0/24
> > > vl 10 vl40
> > > client vtp server vtp
> > > Determine VTP mode, trunk mode.
> > > 4-2 Delete vlan data base " delete flash:vlan" before configuring !
> > > Then configue 1) VTP, 2) Vlan, 3) cat-cat 4) access port, 4) trunk
> port
> > > 4-3 Read task once again and make sure nothing missed
> > > 4-4 ping vlan by vlan. Select only one device and ping all other on a
> > > specific vlan.
> > >> No need to ping from multiple interface on a same vlan.
> > >> Don't wait for Arp resolution!
> > > CAT takes about 25 minutes in my scenario ( but real lab would take
> > > shorter)
> > >
> > >>
> > >> #5 Attack ATM ( I can spend a lot time if I screwed config. 5~25min )
> > >> Quickly decide PVC vs SVC
> > >> 5-1 If SVC, then decide "CLIP" or "SVC nsap"
> > >> Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to
> > >> vaildate nsap address.
> > >> 5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap"
> > >> And then decide physical or sub
> > >> 5-1-2 if SVC nsap, decide physical or logical
> > >> 5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
> > >> 5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay attention
> > >> nssp is HEX!
> > > If PPP over ATM, then always create VT or dialer interface first, then
> > >> user/password
> > >> 5-4 ping and validate
> > >
> > > ############## L2 is over between 40~1:15
> > > ###########################################
> > >>
> > >> #6 Attack OSPF
> > > Based on my test, it was very important the way I write down on paper
> in
> > > order to make router-by-router step work.
> > > 6-1 While reading the task, Draw a diagram to configure OSPF router by
> > > router not area by area w/ green coloring.( 10 min)
> > >> Check if there are
> > >> authentication
> > >> stub or nssa.
> > >> virtual link
> > >> Make a note on redistribute, summary, area-range.
> > >> Pay attention DR/BDR, OPSF network type
> > >
> > > Write config separately for interface and ospf on drawing.
> > > For example, the below was my note on drawing I made while I am
> reading
> > > task.
> > >
> > > For R1
> > > int s0/0.123
> > > p2m, md5,
> > > int s0/0.14
> > > non-bro, pri 0, md5
> > > int f0/0
> > > nothing
> > >
> > > ospf
> > > r-id
> > > a 0 md5
> > > a 12 nssa no-sum, no-red
> > > a 13 stub no-sum
> > > a 12 v r4 md5
> > > a 14 v r2 md5
> > > a 5 v r3 md5
> > > nei R2
> > > neii R3
> > > area 5 range
> > > summary
> > >
> > > This method makes configuration time very short but it was extremely
> > > important to not forget anything to configure router-by-router as many
> > > people pointed out.
> > >
> > >> 6-2 Configure OSPF router by router based on drawing in Black ( 10~30
> > >> min)
> > > First Interface and then router ospf
> > >> 6-2-1 Preferred sequence for configuring interface was 1)OPSF network
> > >> type
> > > based, 2) priority, 3) Authentication,
> > >> 6-2-2 Preferred sequence for configuring OSPF process was from
> > > "easy-to-forget" to "always know" 1) router-id( it seem to only help
> for
> > > Virtual-link, I will skip if there is no Virtual link ) 2) area
> > > authentication, 3) area virtual link, 4) neighbor, 5) Network (copy
> past
> > > from interface address)
> > >> 6-2-3 Validate everything is working( show ip os ne, show ip os vir,
> show
> > > ip os interface, show ip route ), ( 5 min)
> > >
> > > Just a note wth this method, I was able to do OSPF among five routers
> in
> > > 15
> > > min from drawing to core config not including
> redistribute/summary/area
> > > range. This is my record time.
> > > Specially, virtual link config really seems to save time.
> > > There isn't much of trap in OSPF like Rip. very easy to validate it as
> > > well.
> > > If config work, in most case it should be correct...
> > >
> > > 6-3 Do redistribute, summary, area range ( 5 min)
> > > It was necessary to separately treat area range, or summary
> > >
> > > 6-4 avoid any engagement with giant beasts. But make a note.
> > >
> > > #####OSPF is from 35 ~ 55 Min ( total 1:15 ~2:10)#######
> > >
> > >> 7 Attack RIP( 20~30 min)
> > >> It is very tricky!
> > >> 7-1 add RIP topology into OPSF drawing with blue coloring( 2 min).
> > > It seems Rip doesn't really have much detail info on drawing.
> > >> 7-2 Make sure active/passive interface
> > > WATCH OUT Split-Horizon is off on pfysical FR and ATM !
> > >> Pay attention of rip update method ( M/B/U) and version,
> authentication
> > >> Never assume it is always V2!, no auto-summary, mcast, etc
> > >> This selection can be applied to each direction of interface.
> > >> 7-3 Configure router by router( 5 min) per drawing
> > > In fact, core rip configuration is always router by router as rip
> doesn't
> > > have concept of adjacency per link.
> > >> 7-4 valiadte ( 3 min)
> > >> 7-5 Spend enough time to be absolutely correct on route-filter,
> > >> summary, etc ( 5 min)
> > >> 7-6 If mutual-redistribution is required, make sure multi-exit point
> > >> ot single-exit point. Don't fotget metric.
> > >> If it is multi-exit point, write down "rip subnets" on notepad and do
> > >> the following( 5 min)
> > >> 7-6-1 "redistribute ospf" under "router rip"
> > >> ##### Provent Rip-originated routes entering Rip from OSPF
> ############
> > >> "Deny rip routes and permit all" route-map for "redistribute ospf" to
> rip
> > >> Don't wait after "clear ip route * " is issued if I am not "idiot!"
> > >>
> > >> 7-6-2 "redistribute rip subnets" under "router ospf"
> > >> ##### Provent OSPF external routes entering OSPF from Rip #####
> > >> "Permit only rip routes" route-map for "redistribute rip subnets" to
> OSPF
> > >> Don't wait after "clear ip route * " is issued if I am not "idiot!"
> > >>
> > >> 7-6-3 distance 121 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0>
> > > 255.255.255.255 <http://255.255.255.255><http://255.255.255.255>11
> under "router OSPF"
> > >> ##### Fix redistributing router's AD for Rip routes #####
> > >> distance 121 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0>
> > > 255.255.255.255 <http://255.255.255.255><http://255.255.255.255>11
> > >> "access-list 11 permit rip routes"
> > >> I saw sometimes this takes quite a few second. Don't do "clear ip
> > >> OPSF" or I will end up spending more time just for watching.
> > >>
> > > #### RIP is over 20 ~30 min( total 1:35 ~ 2:40) ############
> > >>
> > >> 8 Attack EIGRP ( 20~30min)
> > >> 8-1 While reading the task, add EIGRP topology into OPSF drawing in
> black
> > > w/o blue coloring ( 2 min).
> > >> 8-2 Determine non/passive/active-eigrp interface. Be open minded that
> > > WATCH OUT Split-Horizon is off on pfysical FR and ATM !
> > >> BB can be multicast/unicast. Load-balance, authentication, stub,
> > >> summary address( 5 min )
> > >> 8-3 Configure router by router( 5 min) per drawing
> > >> 8-4 validate ( 5 min)
> > >> 8-5 Spend enough time to be absolutely correct on route-filter,
> > >> summary, etc ( 5 min)
> > >> 8-6 If mutual-redistribution is required, make sure multi-exit point
> > >> ot single-exit point.
> > >>
> > >> If it is multi-exit point, write down "eigrp subnets" on notepad ( 5
> min)
> > >> 8-6-1"redistribute ospf" under "router eigrp"
> > >> #####Protect EIGRP external route reentering from OSPF #######
> > >> "Deny eigrp routes and permit all" route-map for "redistribute ospf"
> to
> > > eigrp
> > >> Make sure metric is configured.
> > >>
> > >> 8-6-2 "redistribute eigrp subnet" under "router ospf"
> > >> ##### Protect OSPF external routes reentering from EIGRP
> > >> "Only permit eigrp routes" route-map for "redistribute ospf" to eigrp
> > >> Make sure metric is configured.
> > >>
> > >> 8-6-3 distance 121 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0>
> > > 255.255.255.255 <http://255.255.255.255><http://255.255.255.255>11
> under "router OSPF"
> > >> ##### Fix redistributing router's AD for eigrp external routes #####
> > >> distance 121 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0>
> > > 255.255.255.255 <http://255.255.255.255><http://255.255.255.255>11
> > >> "access-list 11 permit eigrp routes"
> > >> I saw sometimes this takes quite a few second. Don't do "clear ip
> > >> OPSF" or I will end up spending more time just for watching.
> > >> Technically, only eigrp external route needs to be applied but eigrp
> > >> route won't hurt and make it simple.
> > >>
> > > ######EIGRP is over in 20~30 min (1:55 ~3:10 min) ##############
> > >>
> > >> 9.Attack ISIS ( 10 min)
> > >> 9-1 While reading the task, add ISIS topology into OPSF drawing in
> black
> > > w/ purple coloring ( 1 min).
> > >> 9-2 determine area type, IS-type, authentication ( domain, area,
> > >> interface level1-2).
> > >> Make sure of correct value of NET ( it is Hex), summary address
> > >> 9-3 Configure router by router.
> > >> 9-4 I don't believe there will be multi-exit mutual redistribution on
> > >> ISIS
> > >> Make sure to redistribute connect network from ISIS to OSPF.
> > >>
> > > ###### ISIS is over in 10~15 min ( 2:05 ~3:25)
> > >>
> > >> 10 Attack ISDN ( 15~30 min)
> > >> 10-1 draw ISDN on a separate paper. ( 30 sec)
> > >> 10-2 Determine single/both callers, authentication type( no
> > >> auth/pap/chap), physical/dialer interface. PPP feature = multilink,
> > >> callback,
> > >> 10-3 Figure out back-up method ( floating static/OSPF demand/watch
> > >> group/back-up interface/rip trriger/ snap-shot routing ) focus on how
> > >> full reachability can be accomplished after F/R failed. Make sure
> > >> link is not flapping.
> > >> 10-4 Determine if there is additional task for interesting traffic
> > > filtering.
> > >> 10-5 configure ISDN router by router.
> > >> 10-5-1 select switch type, spid and shut and no shut and show isdn
> > >> status.
> > >> make sure L2 is happy! Also make a quick test call using both
> > >> string " isdn test call interface bri0/0 "string" " and disconnect "
> > >> isdn test disconnect interface bri0/0 all"
> > >> 10-5-2 validate the link
> > >>
> > > ###### ISDN is over in 15 ~30 min ( 2:20 ~ 3:55)
> > >>
> > >> 11 Golden Moment ( 5~30 min)
> > > 11.1 Test full reachability with ISDN back-up link off
> > >> Check the Golden moment per NMC meaning the exciting moment when you
> > >> get ping response from every router to every router.
> > >> Run tclsh script
> > >> "foreach addr {
> > >> 1.1.1.1 <http://1.1.1.1> <http://1.1.1.1>
> > >> ...
> > >> } { ping $ addr}"
> > >> Just copy past after tclsh ( it is really cool when you see pings go
> > >> through from everywhere to everywhere). To quit, juts type " tclq"
> > >
> > > 11.1 Test full reachability with ISDN back-up link on
> > > 11.2 when ping has no response, write down ip address and
> troubleshoot.
> > >> Drawing will be the excellent tool for troubleshooting
> > >> Don't bother ISDN link yet.
> > >>
> > > ########### Full reachability is done in 5 ~30 min ( 2:25 ~4:25)
> > >
> > >> 12 Attack BGP( 20 ~40 min)
> > >> 12.1 While reading task, Drawing a BGP topology on a separate paper.(
> 3
> > > min)
> > > Drawing is very imnportant in BGP
> > > 12.2 Determine RR or CON or both to do full-mesh iBGP.
> > >> See if neighbor peer-group is required,
> > >> decide ip address ot use bgp session.
> > >> 12.3 Configure router by router not BGP session-by-session
> > >> always put no sync and no auto-summary if allowed.
> > >> 12-4 Spend enough time to be absolutely correct on route-filtering (
> > >> ACL, prefix-list, as-path filer), route-aggregate(w/ as-set,
> > >> summary-only, supress-map, attribute-map, advertise-map),
> > >> route-manipulation( w/as-prepending, med, local-pref, weight,
> > >> next-hop, advertise-map/non/existing-map, orgin, community, etc )
> > >> route-dampening, etc.
> > >> 12-5 vaildate config. Use "clear ip bgp * soft " not " clear ip bgp *
> and
> > > I don't have to wait!
> > >>
> > > ###### BGP is over in 20 ~40 ( 2:45 ~ 5:05) My target is before lunch!
> > >>
> > >> 13 IPv6( 10 min)
> > >> 13-1 draw a sipmple diagram ( 1 min)
> > >> 13-2 Watch out link local address over FR multilink.
> > >> SLA ID is 4th 16bit
> > >> 16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
> > >> site-local = FEC0::
> > >> link-local = fe80::
> > >> 13-3 Check a full reachability using tcl script or just manual ping
> > >> depneding on the number router.
> > >>
> > >> IPv6 is over 10 min ( total 2:45 ~ 5:15)
> > >>
> > >> ################## Core routing is done ####################
> > >> I should have at least 2:45 hours to go at least.
> > >>
> > >> Strategy will change depending how much time I have at this moment.
> > >>
> > >> 14 I would do multicast first ( 15 min)
> > >> 14-1 While reading task, mark a Mcast topology with red high lighter
> on
> > > OSPF drawing.
> > >> 14-2 Determine mcast topology ( dense-mode, static RP pim sparse,
> > >> Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
> > > Spot any RFP issue per IGP topology
> > >> 14-3 Configure router-by-router
> > >> 14-4 valildate it
> > >> 14-5 If second part is difficult, skip by making a note.
> > > #####Minimum 2:30 left
> > >> 15 IOS/IP service ( 25 min)
> > >> Be careful not to block or drop any IGP updates
> > >> 15-1, just check quikcly and do easy one first.
> > >> 15-2, skip difficult task by making a note
> > > ###### minimum 2:05 left
> > >> 16 QoS ( 30 ~ 40min)
> > >> Be careful not to block or drop any IGP updates
> > >> 16-1 Draw a flow on paper instead of in brain.
> > >> 16-2 Always determine classification method( ACL, NBAR) and
> direction.
> > >> 16-3 Determine shaping vs policing
> > >> 16-4 Consider all options for queuing( legacy custom/priority,
> > >> bandwidth/priority, shape average/peak, FRTS/GTS)
> > >> 16-5 consider all options for policing ( police, rate-limit, ip
> > >> multicast rate-limit, aggregate police( 3550))
> > >> 16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn,
> > > foresight)
> > >> 16-7 Consider all droping mode (random detect, ecn, tail drop,
> marking,
> > > etc)
> > > ##### minimum 1:25
> > >> 17 Security ( 30~40min)
> > >> Be careful not to block or drop any IGP updates
> > >> 17-1 Draw a flow on paper instead of in brain.
> > >> 17-2 Consdier all options for classification
> > >> std/ext/reflexive/dynamic ACL,
> > >> IP insepct,
> > >> tcp intercept
> > >> unicast RFP,
> > >> ip accouting output packet /access-violation/precedence,
> > >> 17-2 When configuring Switchport port-security mac-address, be
> careful
> > >> to include vurtual and physical mac if HSRP is running.
> > > ###### minimum 45 min
> > >
> > >> 18 DLSW( 15 min)
> > >> 18.1 Draw a qucik topology ( 1 min)
> > >> 18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show
> up)
> > >> Peer on-demand( group/border)
> > >> Dynamic peering ( dynamic)
> > >> Loadbalance (round-robin, circuit-count),
> > >> Back-up ( back-up peer or cost)
> > >> DSLW use tcp 2065 and udp 2067
> > >> NAT can affect DLSW ( higher ip DLSW peer drops)
> > >> 18.3 decide type of filtering
> > >> 18-3-1 Netbios name filter( netbios access-list host xyz permit zyx )
> > >> Icanreach/icannotreach netbios-name /netbiosexclusive
> > >>
> > >> 18-3-2 MAC address filer ( access-list 700-799, mac-address
> conevrsion
> > > needed )
> > >> Icanreach/icannotreach mac-address/mac-exclusive( address conversion)
> > >>
> > >> 18-3-3 LSAP filter ( access-list 200-299 permit )
> > >> SNA only "access-list 200 permit 0x0000 0x0d0d"
> > >> SNA and Netbios " access-list 200 permit 0xf0f0 0x0101
> > >> Icanreach/icannotreach saps
> > >> icannotreach saps f0 ( deny netbios)
> > >>
> > > ###### minimum 30 min #############
> > > I am planing at least 1:30 hour left.
> > > I will do " tcl script " one more time to make sure everything work.
> > > I expect 2 ~ 4 question I will skip.
> > > At this moment, depending on how much time I have, I quckily go back
> to
> > > the
> > > qeustion I skipped.
> > > I will invest my time to something I can see best chance of getting
> right
> > > out of the skipped ones.
> > > Jongsoo from RTP
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:59 GMT-3