From: Jongsoo (bstrt2004@gmail.com)
Date: Mon Oct 31 2005 - 15:56:16 GMT-3
All
Honestly, I am a little surprised people still looking for the checklist
that I happened to write a week before taking the lab @ my 4th trial.
I like to porvide the most updated one I updated right after passing the lab
(there are many version of the checklists because the feedback provided by
many folks has been updated.)
As Scott, Bruce, and Brians keep saying, passing CCIE lab takes a lot more
than knowing and understanding. And in most case, every question in the exam
has a perfect answer if we know all the options.
Here is the most updated version, which may still have some error but at
the end of day, everyone should create his/her own check list at least 1
week before the exam.
Best Regards
Jongsoo Kim
---------- Forwarded message ----------
From: Jongsoo kim <bstrt2002@gmail.com>
Date: Apr 6, 2005 8:49 AM
Subject: I guess I am CCIE(#14539) now...: My checklist #2 revised ( the
final armor) for 5 April
To: Group Study < ccielab@groupstudy.com>
Dera All
I failed last 28-Feb in RTP and when leaving the RTP, I felt very
positively I might have a good chance to pass it ...but yesterday when I was
leaving RTP, I knew I finished all the questions on the paper with a
confidence that this should be the answer because there is no other ways or
I am 100% compliant to the restriction... On the other side, if I failed, I
will definitely ask for regrading...
However, I also had a feeling what I am going to do if I failed this time
after that much of study...
Obviously, the confidence that I used to have when I knew only a couple of
ways to make it work isn't with me after I learned so many other ways that I
didn't know...
Anyway, let me go over how our check list worked during my lab.
First, I followed it exactly. CAT table, IGP drawing, and BGP drawing. Each
of these drawings capture everything but IP address. IGP Darwin has a nice
coloring per protocol (well-sharped pencil was really good to use).
I was like MLS switch as only first packet of a new flow go through process
and all other done by ASIC.
Anything missing, I just update my drawing so that I don't have go through
again multiple papers, which reduced significantly my brain CPU cycles.
I finished L2, IGP, ISDN, and BGP ( with 4 questions( route filters)
skipped, unrelated to full reachability) with TCL scrip validation of a good
working full reachability before lunch. I couldn't believe how fast I was
able to finish OSPF compared to last time. I rebooted router right before
lunch. When I came back, I ran again TCL and surprised to find out ping
failed to one router and BGP neighbor down. One of default-metric
disappeared...which I thought might happen to my other trials..
After I achieve a full reachability by lunch, I knew I am controlling time
unlike being controlled by it in my last attempt.
It was a totally different game when I can control the time...
Whenever I do some flow restriction, I ran TCL to validate I am not breaking
any previous works.
There was only one question( 2 point) I didn't know...ironically it was the
last question of the lab and it was security again related to some flow
restriction...Initially I thought it is only 2 point and I'd rather give
this up because I didn't want to repeat my nightmare on my 2nd attempt. But
I sort of recalled some discussion on groupstudy on similar topic. After
some research on CD, I was able to get it right because my solution matched
the result criteria. Immediately, I ran TCL script and check all the related
protocol.
And finally, I rebooted all the routers and Sw of course after "wr" before
going to restroom.
And I ran again TCL and saw ping drop but I was in a good control because I
was confident my config is correct.
It turned out that SW OSPF came up later than router...
That was the last thing I did. and I walked out...
Regards
Jongsoo
On Apr 4, 2005 2:25 AM, Jongsoo kim <bstrt2002@gmail.com > wrote:
>
> Folks Thanks for all the excellent feedback .
>
> Based on group's feedback and my trial test to see how pratical and
> efficient my check list,
> I revised some of them. Also I was advised that I can't bring the outside
> pens so that I will do coloring with those color pencil available on desk.
>
> #1 Spend a few minute to understand the point distribution between
> Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service,
> Security, Mcast)
>
> #2 Spend a few minute to understand the topology.
> Figure out core network, stub network, BB
>
> #3 Enter Alias command to notepad and copy paste all router.
> "show run | b Se" ( surprizingly, I didn't use this command after I build
> drawing because I can find out my sub-interface number from drawing!
>
> #3 Attack F/R ( targetting 10~15 min)
> While reading the task,, Draw a quick diagram showing interface type ( ph,
> m, p2p).
> Configure Router by router not interface by interface
> Always 0) shut 1) enc frame-remay 2) no frame inverse 3) no shut.
> Ping from spoke to spoke if possible. to vaildate.
> If PPP over FR, then always create VT first, user/password
> In this way, I was able to do this in 7 min for 3 pvc's ( each pvc has
> different interface type).
>
> #4 Attack CAT ( 25~35 min)
> 4-1While reading the task, make VLAN table like below
> VL Router CAT1 CAT2 Router VL
> 10 R1 f0/0------f0/1 f0/2 ---------f0/0 R2 10
> 20 R3 f0/1------f0/3 f0/4 ---------f0/0 R4 30
> 40 R5 f0/0 ------f0/5
> 40 R6 f0/1-------f0/6
> f0/23---f0/23
> f0/24---f0/24
> vl 10 vl40
> client vtp server vtp
> Determine VTP mode, trunk mode.
> 4-2 Delete vlan data base " delete flash:vlan" before configuring !
> Then configue 1) VTP, 2) Vlan, 3) cat-cat 4) access port, 4) trunk port
> 4-3 Read task once again and make sure nothing missed
> 4-4 ping vlan by vlan. Select only one device and ping all other on a
> specific vlan.
> > No need to ping from multiple interface on a same vlan.
> > Don't wait for Arp resolution!
> CAT takes about 25 minutes in my scenario ( but real lab would take
> shorter)
>
> >
> > #5 Attack ATM ( I can spend a lot time if I screwed config. 5~25min )
> > Quickly decide PVC vs SVC
> > 5-1 If SVC, then decide "CLIP" or "SVC nsap"
> > Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to
> > vaildate nsap address.
> > 5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap"
> > And then decide physical or sub
> > 5-1-2 if SVC nsap, decide physical or logical
> > 5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
> > 5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi. Pay attention
> > nssp is HEX!
> If PPP over ATM, then always create VT or dialer interface first, then
> > user/password
> > 5-4 ping and validate
>
> ############## L2 is over between 40~1:15
> ###########################################
> >
> > #6 Attack OSPF
> Based on my test, it was very important the way I write down on paper in
> order to make router-by-router step work.
> 6-1 While reading the task, Draw a diagram to configure OSPF router by
> router not area by area w/ green coloring.( 10 min)
> > Check if there are
> > authentication
> > stub or nssa.
> > virtual link
> > Make a note on redistribute, summary, area-range.
> > Pay attention DR/BDR, OPSF network type
>
> Write config separately for interface and ospf on drawing.
> For example, the below was my note on drawing I made while I am reading
> task.
>
> For R1
> int s0/0.123
> p2m, md5,
> int s0/0.14
> non-bro, pri 0, md5
> int f0/0
> nothing
>
> ospf
> r-id
> a 0 md5
> a 12 nssa no-sum, no-red
> a 13 stub no-sum
> a 12 v r4 md5
> a 14 v r2 md5
> a 5 v r3 md5
> nei R2
> neii R3
> area 5 range
> summary
>
> This method makes configuration time very short but it was extremely
> important to not forget anything to configure router-by-router as many
> people pointed out.
>
> > 6-2 Configure OSPF router by router based on drawing in Black ( 10~30
> min)
> First Interface and then router ospf
> > 6-2-1 Preferred sequence for configuring interface was 1)OPSF network
> type based, 2) priority, 3) Authentication,
> > 6-2-2 Preferred sequence for configuring OSPF process was from
> "easy-to-forget" to "always know" 1) router-id( it seem to only help for
> Virtual-link, I will skip if there is no Virtual link ) 2) area
> authentication, 3) area virtual link, 4) neighbor, 5) Network (copy past
> from interface address)
> > 6-2-3 Validate everything is working( show ip os ne, show ip os vir,
> show ip os interface, show ip route ), ( 5 min)
>
> Just a note wth this method, I was able to do OSPF among five routers in
> 15 min from drawing to core config not including redistribute/summary/area
> range. This is my record time.
> Specially, virtual link config really seems to save time.
> There isn't much of trap in OSPF like Rip. very easy to validate it as
> well. If config work, in most case it should be correct...
>
> 6-3 Do redistribute, summary, area range ( 5 min)
> It was necessary to separately treat area range, or summary
>
> 6-4 avoid any engagement with giant beasts. But make a note.
>
> #####OSPF is from 35 ~ 55 Min ( total 1:15 ~2:10)#######
>
> > 7 Attack RIP( 20~30 min)
> > It is very tricky!
> > 7-1 add RIP topology into OPSF drawing with blue coloring( 2 min).
> It seems Rip doesn't really have much detail info on drawing.
> > 7-2 Make sure active/passive interface
> WATCH OUT Split-Horizon is off on pfysical FR and ATM !
> > Pay attention of rip update method ( M/B/U) and version, authentication
> > Never assume it is always V2!, no auto-summary, mcast, etc
> > This selection can be applied to each direction of interface.
> > 7-3 Configure router by router( 5 min) per drawing
> In fact, core rip configuration is always router by router as rip doesn't
> have concept of adjacency per link.
> > 7-4 valiadte ( 3 min)
> > 7-5 Spend enough time to be absolutely correct on route-filter,
> > summary, etc ( 5 min)
> > 7-6 If mutual-redistribution is required, make sure multi-exit point
> > ot single-exit point. Don't fotget metric.
> > If it is multi-exit point, write down "rip subnets" on notepad and do
> > the following( 5 min)
> > 7-6-1 "redistribute ospf" under "router rip"
> > ##### Provent Rip-originated routes entering Rip from OSPF ############
> > "Deny rip routes and permit all" route-map for "redistribute ospf" to
> rip
> > Don't wait after "clear ip route * " is issued if I am not "idiot!"
> >
> > 7-6-2 "redistribute rip subnets" under "router ospf"
> > ##### Provent OSPF external routes entering OSPF from Rip #####
> > "Permit only rip routes" route-map for "redistribute rip subnets" to
> OSPF
> > Don't wait after "clear ip route * " is issued if I am not "idiot!"
> >
> > 7-6-3 distance 121 0.0.0.0 <http://0.0.0.0/>
255.255.255.255<http://255.255.255.255/>11 under "router OSPF"
> > ##### Fix redistributing router's AD for Rip routes #####
> > distance 121 0.0.0.0 <http://0.0.0.0/>
255.255.255.255<http://255.255.255.255/>11
> > "access-list 11 permit rip routes"
> > I saw sometimes this takes quite a few second. Don't do "clear ip
> > OPSF" or I will end up spending more time just for watching.
> >
> #### RIP is over 20 ~30 min( total 1:35 ~ 2:40) ############
> >
> > 8 Attack EIGRP ( 20~30min)
> > 8-1 While reading the task, add EIGRP topology into OPSF drawing in
> black w/o blue coloring ( 2 min).
> > 8-2 Determine non/passive/active-eigrp interface. Be open minded that
> WATCH OUT Split-Horizon is off on pfysical FR and ATM !
> > BB can be multicast/unicast. Load-balance, authentication, stub,
> > summary address( 5 min )
> > 8-3 Configure router by router( 5 min) per drawing
> > 8-4 validate ( 5 min)
> > 8-5 Spend enough time to be absolutely correct on route-filter,
> > summary, etc ( 5 min)
> > 8-6 If mutual-redistribution is required, make sure multi-exit point
> > ot single-exit point.
> >
> > If it is multi-exit point, write down "eigrp subnets" on notepad ( 5
> min)
> > 8-6-1"redistribute ospf" under "router eigrp"
> > #####Protect EIGRP external route reentering from OSPF #######
> > "Deny eigrp routes and permit all" route-map for "redistribute ospf" to
> eigrp
> > Make sure metric is configured.
> >
> > 8-6-2 "redistribute eigrp subnet" under "router ospf"
> > ##### Protect OSPF external routes reentering from EIGRP
> > "Only permit eigrp routes" route-map for "redistribute ospf" to eigrp
> > Make sure metric is configured.
> >
> > 8-6-3 distance 121 0.0.0.0 <http://0.0.0.0/>
255.255.255.255<http://255.255.255.255/>11 under "router OSPF"
> > ##### Fix redistributing router's AD for eigrp external routes #####
> > distance 121 0.0.0.0 <http://0.0.0.0/>
255.255.255.255<http://255.255.255.255/>11
> > "access-list 11 permit eigrp routes"
> > I saw sometimes this takes quite a few second. Don't do "clear ip
> > OPSF" or I will end up spending more time just for watching.
> > Technically, only eigrp external route needs to be applied but eigrp
> > route won't hurt and make it simple.
> >
> ######EIGRP is over in 20~30 min (1:55 ~3:10 min) ##############
> >
> > 9.Attack ISIS ( 10 min)
> > 9-1 While reading the task, add ISIS topology into OPSF drawing in black
> w/ purple coloring ( 1 min).
> > 9-2 determine area type, IS-type, authentication ( domain, area,
> > interface level1-2).
> > Make sure of correct value of NET ( it is Hex), summary address
> > 9-3 Configure router by router.
> > 9-4 I don't believe there will be multi-exit mutual redistribution on
> ISIS
> > Make sure to redistribute connect network from ISIS to OSPF.
> >
> ###### ISIS is over in 10~15 min ( 2:05 ~3:25)
> >
> > 10 Attack ISDN ( 15~30 min)
> > 10-1 draw ISDN on a separate paper. ( 30 sec)
> > 10-2 Determine single/both callers, authentication type( no
> > auth/pap/chap), physical/dialer interface. PPP feature = multilink,
> > callback,
> > 10-3 Figure out back-up method ( floating static/OSPF demand/watch
> > group/back-up interface/rip trriger/ snap-shot routing ) focus on how
> > full reachability can be accomplished after F/R failed. Make sure
> > link is not flapping.
> > 10-4 Determine if there is additional task for interesting traffic
> filtering.
> > 10-5 configure ISDN router by router.
> > 10-5-1 select switch type, spid and shut and no shut and show isdn
> status.
> > make sure L2 is happy! Also make a quick test call using both
> > string " isdn test call interface bri0/0 "string" " and disconnect "
> > isdn test disconnect interface bri0/0 all"
> > 10-5-2 validate the link
> >
> ###### ISDN is over in 15 ~30 min ( 2:20 ~ 3:55)
> >
> > 11 Golden Moment ( 5~30 min)
> 11.1 Test full reachability with ISDN back-up link off
> > Check the Golden moment per NMC meaning the exciting moment when you
> > get ping response from every router to every router.
> > Run tclsh script
> > "foreach addr {
> > 1.1.1.1 <http://1.1.1.1/>
> > ...
> > } { ping $ addr}"
> > Just copy past after tclsh ( it is really cool when you see pings go
> > through from everywhere to everywhere). To quit, juts type " tclq"
>
> 11.1 Test full reachability with ISDN back-up link on
> 11.2 when ping has no response, write down ip address and troubleshoot.
> > Drawing will be the excellent tool for troubleshooting
> > Don't bother ISDN link yet.
> >
> ########### Full reachability is done in 5 ~30 min ( 2:25 ~4:25)
>
> > 12 Attack BGP( 20 ~40 min)
> > 12.1 While reading task, Drawing a BGP topology on a separate paper.( 3
> min)
> Drawing is very imnportant in BGP
> 12.2 Determine RR or CON or both to do full-mesh iBGP.
> > See if neighbor peer-group is required,
> > decide ip address ot use bgp session.
> > 12.3 Configure router by router not BGP session-by-session
> > always put no sync and no auto-summary if allowed.
> > 12-4 Spend enough time to be absolutely correct on route-filtering (
> > ACL, prefix-list, as-path filer), route-aggregate(w/ as-set,
> > summary-only, supress-map, attribute-map, advertise-map),
> > route-manipulation( w/as-prepending, med, local-pref, weight,
> > next-hop, advertise-map/non/existing-map, orgin, community, etc )
> > route-dampening, etc.
> > 12-5 vaildate config. Use "clear ip bgp * soft " not " clear ip bgp *
> and I don't have to wait!
> >
> ###### BGP is over in 20 ~40 ( 2:45 ~ 5:05) My target is before lunch!
> >
> > 13 IPv6( 10 min)
> > 13-1 draw a sipmple diagram ( 1 min)
> > 13-2 Watch out link local address over FR multilink.
> > SLA ID is 4th 16bit
> > 16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
> > site-local = FEC0::
> > link-local = fe80::
> > 13-3 Check a full reachability using tcl script or just manual ping
> > depneding on the number router.
> >
> > IPv6 is over 10 min ( total 2:45 ~ 5:15)
> >
> > ################## Core routing is done ####################
> > I should have at least 2:45 hours to go at least.
> >
> > Strategy will change depending how much time I have at this moment.
> >
> > 14 I would do multicast first ( 15 min)
> > 14-1 While reading task, mark a Mcast topology with red high lighter on
> OSPF drawing.
> > 14-2 Determine mcast topology ( dense-mode, static RP pim sparse,
> > Auto-rp/MA, pim V2 bsr, Auto-rp/MA/MSDP).
> Spot any RFP issue per IGP topology
> > 14-3 Configure router-by-router
> > 14-4 valildate it
> > 14-5 If second part is difficult, skip by making a note.
> #####Minimum 2:30 left
> > 15 IOS/IP service ( 25 min)
> > Be careful not to block or drop any IGP updates
> > 15-1, just check quikcly and do easy one first.
> > 15-2, skip difficult task by making a note
> ###### minimum 2:05 left
> > 16 QoS ( 30 ~ 40min)
> > Be careful not to block or drop any IGP updates
> > 16-1 Draw a flow on paper instead of in brain.
> > 16-2 Always determine classification method( ACL, NBAR) and direction.
> > 16-3 Determine shaping vs policing
> > 16-4 Consider all options for queuing( legacy custom/priority,
> > bandwidth/priority, shape average/peak, FRTS/GTS)
> > 16-5 consider all options for policing ( police, rate-limit, ip
> > multicast rate-limit, aggregate police( 3550))
> > 16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn,
> foresight)
> > 16-7 Consider all droping mode (random detect, ecn, tail drop, marking,
> etc)
> ##### minimum 1:25
> > 17 Security ( 30~40min)
> > Be careful not to block or drop any IGP updates
> > 17-1 Draw a flow on paper instead of in brain.
> > 17-2 Consdier all options for classification
> > std/ext/reflexive/dynamic ACL,
> > IP insepct,
> > tcp intercept
> > unicast RFP,
> > ip accouting output packet /access-violation/precedence,
> > 17-2 When configuring Switchport port-security mac-address, be careful
> > to include vurtual and physical mac if HSRP is running.
> ###### minimum 45 min
>
> > 18 DLSW( 15 min)
> > 18.1 Draw a qucik topology ( 1 min)
> > 18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show up)
> > Peer on-demand( group/border)
> > Dynamic peering ( dynamic)
> > Loadbalance (round-robin, circuit-count),
> > Back-up ( back-up peer or cost)
> > DSLW use tcp 2065 and udp 2067
> > NAT can affect DLSW ( higher ip DLSW peer drops)
> > 18.3 decide type of filtering
> > 18-3-1 Netbios name filter( netbios access-list host xyz permit zyx )
> > Icanreach/icannotreach netbios-name /netbiosexclusive
> >
> > 18-3-2 MAC address filer ( access-list 700-799, mac-address conevrsion
> needed )
> > Icanreach/icannotreach mac-address/mac-exclusive( address conversion)
> >
> > 18-3-3 LSAP filter ( access-list 200-299 permit )
> > SNA only "access-list 200 permit 0x0000 0x0d0d"
> > SNA and Netbios " access-list 200 permit 0xf0f0 0x0101
> > Icanreach/icannotreach saps
> > icannotreach saps f0 ( deny netbios)
> >
> ###### minimum 30 min #############
> I am planing at least 1:30 hour left.
> I will do " tcl script " one more time to make sure everything work.
> I expect 2 ~ 4 question I will skip.
> At this moment, depending on how much time I have, I quckily go back to
> the qeustion I skipped.
> I will invest my time to something I can see best chance of getting right
> out of the skipped ones.
> Jongsoo from RTP
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:55 GMT-3