From: Michael Zuo (mzuo@ixiacom.com)
Date: Thu Jan 25 2007 - 04:32:23 ART
Thank you all for the information. Some of them (such as forgetting to
configure "switchport port-security", I have made the same mistake
before (multiple times!!) and wrote down in my notes). The rest I will
try to remember :)
I guess the secret to happiness is knowing that someone else is also
suffering (he he)
-----Original Message-----
From: Tim [mailto:ccie2be@nyc.rr.com]
Sent: Saturday, January 20, 2007 10:04 AM
To: Michael Zuo; ccielab@groupstudy.com
Subject: RE: security portion of the ccie lab
Michael,
I feel your pain.
Given that you seem to know your security stuff fairly well, my guess is
that your # 1 problem is that you are not fulfilling the requirements of
the
task.
This means you probably aren't reading the task requirements carefully
enough. This is very to do.
Here are some easy mistakes to make.
Deny traffic from a web server to XYZ
The issue is where you place the "eq 80".
eg. access-list 100 deny tcp any eq 80 any
versus
access-list 100 deny tcp any any eq 80.
Although similar, it's easy to place the "eq 80" after the wrong
parameter.
It might also help if you know of a way to test your acl.
One thing you can do is use telnet but specify the port.
For example, telnet w.x.y.z will do a regular telnet ie to port 23.
But, if you do this instead you can test your acl for other types of
traffic.
telnet w.x.y.z 80 will test for web traffic.
Another very easy mistake to make is when configuring switch port
security.
The task may specify 3, 4 or 5 items you need to configure. So, you do.
Mac addresses, aging, violation action, etc. All looks good...
Except you forgot to enable port security first and you didn't remember
the
show command to use to validate your config. So, you just do a show
run.
And, again, everything looks 100% correct.
Oops, there goes another 3 points.
Here's another potential mistake: Using the wrong time-range on your
acl's.
Again, assuming you know how to config this, the issue here is CAREFULLY
reading the requirements. It's very easy to screw up.
And, don't forget (or be reluctant) to ask the proctor if the directions
aren't clear to you. That's what they're there for.
Sometimes, the directions are 100% ambiguous. It's happened to me.
In my case, the situation was analogous to this:
a x b - c
without parentheses, it was completely ambiguous what was required.
I know it's of little consolation, but many ccie candidates, myself
included, have had your experience. It's frustrating. It's humiliating.
And, possibly very expensive. (I had to pay the lab fee out of my own
pocket
- multiple times.) So, I know what you're going through.
Just the same, stick in there, don't give up. Practice, and then
practice
some more. And, keep taking the lab until you pass it.
The rewards are worth any sacrifice you make.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Michael Zuo
Sent: Friday, January 19, 2007 1:41 PM
To: ccielab@groupstudy.com
Subject: security portion of the ccie lab
Hi Group,
I need some advice on how to approach the security portion of the lab
(tricks, lessons and words of wisdom are also appreciated). I think I
have a fairly good understanding of various security features and how
they work and ACLs are never a problem when I do practice exams from
different vendors. But my exam score is 33% even though I did not
encounter any difficulties in that section (I didn't even have to look
at the Docs). Also, security section of the exam is not like the core
topics where one mistakes can ripple throughout the setup, so my problem
most likely is not something I missed in one section and affected
everything else. I am scratching my head trying to figure out what the
problem could be? Because I know covering the same topics in my studies
will not give me more points if I don't approach it differently.
Any thoughts?
Thanks a lot
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART