The CCIE lab checklist

古月一刀

　　Bring different color pens and high-lighter ( I don't think proctor care about them)
　　#1 Spend a few minute to understand the point distribution between Core requirement (L2, IGP, BGP, ISDN) and non-core ( IOS, Service, Security, Mcast)
　　#2 Spend a few minute to understand the topology.
Figure out core network, stub network, BB
　　#3 Enter Alias command to notepad and copy paste all router.
One of my favorite Aliases are
"show run | b Se"
　　#3 Attack F/R ( targetting 10~15 min)
Configure Router by router not interface by interface Always 1) enc frame-remay 2) no frame inverse 3) no shut Check if spoke to spoke connectivity is required by checking Core IGP section.
ping from spoke to spoke if possible.  not hub to spoke.
　　If PPP over FR, then always create VT first, user/password
　　#4 Attack CAT ( 15~20 min)
4-1 Read task and make VLAN table like below
VL   Router       CAT1   CAT2         Router   VL
10    R1 f0/0------f0/1       f0/2 ---------f0/0 R2   10
20    R3 f0/1------f0/3       f0/4 ---------f0/0 R4    30
40    R5 f0/0 ------f0/5
40    R6 f0/1-------f0/6
                        f0/23---f0/23
                        f0/24---f0/24
                        vl 10    vl40
                   client vtp   server vtp
4-2 configure CAT1 and CAT2 and validate
4-3 Read  task once again and make sure nothing missed
4-4 ping vlan by vlan.  Select only one device and ping all other on a specific vlan.
    No need to ping from multiple interface on a same vlan.
    Don't wait for Arp resolution!
If PPP over ATM, then always create VT or dialer interface first, then user/password
　　#5 Attack ATM ( I can't spend time if I screwed config. 5~15min ) Quickly decide PVC vs SVC
5-1 If SVC, then decide "CLIP" or "SVC nsap"
Put "pvc 0/16 ilmi and pvc 0/5 qsaal " and "show atm ilmi-status" to vaildate nsap address.
5-1-1 if CLIP, then decide "arp-server self" or "arp-server nsap"
And then decide physical or sub
5-1-2 if SVC nsap, decide physical or logical
5-2 if PVC, then decide "pvc vci/vpi" or map-list/map-group
5-3 after 5-1 or 5-2 done, figure our nsap or vci/vpi.  Pay attention nssp is HEX!
5-4 ping and validate
　　L2 is over between 30~50 min ( Worst case = 60 min)
　　#6 Attack OSPF
6-1 Draw a diagram to configure OSPF router by router not area by area.( 10 min) Check if there are authentication stub or nssa.
virtual link
Make a note on redistribute, summary, area-range.
Pay attention DR/BDR, OPSF network type
　　6-2
Configure OSPF router by router based on drawing in Black w/ green high-lighter( 10~30 min)
6-2-1  Always configure Inteface first for  1)OPSF network type based on DR/BDR, hello interval, etc 2) Authentication, 3) priority 4) Loop interface ospf network type.
6-2-2 configure OSPF process in order of 1) router-id, 2) network ( copy past from interface address), 3) neighbor command
6-2-3 Validate everything is working ( 5 min)
　　6-3 Do redistribute, summary, area range ( 5 min)
　　6-4 avoid any engagement with giant beasts. But make a note.
　　OSPF is from 25 ~ 45 Min ( total 55 ~1:45)
　　7 Attack RIP( 20~30 min)
   It is very tricky!
7-1 add RIP topology into OPSF drawing in blue ( 2 min).
7-2 Make sure active/passive interface
     Pay attention of rip update method ( M/B/U) and version, authentication
     Never assume it is always V2!, no auto-summary, mcast, etc
     This selection can be applied to each direction of interface.
7-3 Configure router by router( 5 min) per drawing
7-4 valiadte ( 3 min)
7-5 Spend enough time to be absolutely correct on route-filter,
summary, etc ( 5   min)
7-6 If mutual-redistribution is required, make sure multi-exit point ot single-exit point.  Don't fotget metric.
If it is multi-exit point, write down "rip subnets" on notepad and do the following( 5 min)
　　7-6-1 "redistribute ospf" under "router rip"
##### Protect Rip routes reentering from OSPF ############ "Deny rip routes and permit all" route-map for "redistribute ospf" to rip Don't wait after "clear ip route * " is issued if I am not "idiot!"
　　7-6-2 "redistribute rip subnets" under "router ospf"
##### Protect OSPF external routes reentering from Rip ##### "Permit only rip routes" route-map for "redistribute rip subnets" to OSPF Don't wait after "clear ip route * " is issued if I am not "idiot!"
　　7-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
##### Fix redistributing router's AD for Rip routes ##### distance 121 0.0.0.0 255.255.255.255 11 "access-list 11 permit rip routes"
I saw sometimes this takes quite a few second.  Don't do "clear ip OPSF" or I will end up spending more time just for watching.
　　RIP is over 20 ~30 min( total 1:15 ~ 2:15)
　　8 Attack EIGRP ( 20~30min)
8-1 add EIGRP topology into OPSF drawing in black w/o high lighter ( 2 min).
8-2 Determine non/passive/active-eigrp interface. Be open minded that BB can be  multicast/unicast. Load-balance, authentication, stub, summary address( 5 min )
8-3 Configure router by router( 5 min) per drawing
8-4 validate ( 5 min)
8-5 Spend enough time to be absolutely correct on route-filter,
summary, etc ( 5   min)
8-6 If mutual-redistribution is required, make sure multi-exit point ot single-exit point.
　　If it is multi-exit point, write down "eigrp subnets" on notepad ( 5 min) 8-6-1"redistribute ospf" under "router eigrp"
#####Protect EIGRP external route reentering from OSPF ####### "Deny eigrp routes and permit all" route-map for "redistribute ospf" to eigrp Make sure metric is configured.
　　8-6-2 "redistribute eigrp subnet" under "router ospf"
##### Protect OSPF external routes reentering from EIGRP "Only permit eigrp routes" route-map for "redistribute ospf" to eigrp Make sure metric is configured.
　　8-6-3 distance 121 0.0.0.0 255.255.255.255 11 under "router OSPF"
##### Fix redistributing router's AD for eigrp external routes ##### distance 121 0.0.0.0 255.255.255.255 11 "access-list 11 permit eigrp routes"
I saw sometimes this takes quite a few second.  Don't do "clear ip OPSF" or I will end up spending more time just for watching.
Technically, only eigrp external route needs to be applied but eigrp route won't hurt and make it simple.
　　EIGRP is over in 20~30 min (1:35 ~2:45 min)
　　9.Attack ISIS ( 10 min)
9-1 add ISIS topology into OPSF drawing in black w/ purple high lighter ( 2 min).
9-2 determine area type, IS-type, authentication ( domain, area, interface level1-2).
     Make sure of correct value of NET ( it is Hex), summary address
9-3 Configure router by router.
9-4 I don't believe there will be multi-exit mutual redistribution on ISIS
    Make sure to redistribute connect network from ISIS to OSPF.
　　ISIS is over in 10~15 min ( 1:45 ~3:00)
　　10 Attack ISDN ( 15~30 min)
10-1 draw ISDN on a separate paper. ( 30 sec)
10-2 Determine single/both callers, authentication type( no auth/pap/chap), physical/dialer interface. PPP feature = multilink, callback,
10-3 Figure out back-up method ( floating static/OSPF demand/watch group/back-up interface/rip trriger/ snap-shot routing ) focus on how full reachability can be accomplished after F/R failed.  Make sure link is not flapping.
10-4 Determine if there is additional task for interesting traffic filtering.
10-5 configure ISDN router by router.
10-5-1 select switch type, spid and shut and no shut and show isdn status.
      make sure L2 is happy!  Also make a quick test call using both string " isdn test call interface bri0/0 "string" " and disconnect "
isdn test disconnect interface bri0/0 all"
10-5-2 validate the link
　　ISDN is over in 15 ~30 min  ( 2:00 ~ 3:30)
　　11 Golden Moment ( 5~30 min)
Check the Golden moment per NMC meaning the exciting moment when you get ping response from every router to every router.
Run tclsh script
"foreach addr {
1.1.1.1
...
}  { ping $ addr}"
Just copy past after tclsh ( it is really cool when you see pings go through from everywhere to everywhere).  To quit, juts type " tclq"
　　11.1 when ping has no response, write down ip address and troubleshoot.
Drawing will be the excellent tool for troubleshooting Don't bother ISDN link yet.
　　Full reachability is done in 5 ~30 min ( 2:05 ~4:00)
　　12 Attack BGP( 20 ~40 min)
12.1 Drawing a BGP topology on a separate paper.( 3 min)
12.2 Determine RR or CON or both to do full-mesh iBGP.
      See if neighbor peer-group is required,
      decide ip address ot use bgp session.
12.3 Configure router by router not BGP session-by-session
      always put no sync and no auto-summary if allowed.
12-4 Spend enough time to be absolutely correct on route-filtering ( ACL, prefix-list, as-path filer), route-aggregate(w/ as-set, summary-only, supress-map, attribute-map, advertise-map), route-manipulation( w/as-prepending, med, local-pref, weight, next-hop, advertise-map/non/existing-map, orgin, community, etc ) route-dampening, etc.
12-5 vaildate config.  Don't just wait for route update afer "clear ip bgp *" if you want to pass. It would take longer than a minute !!
　　BGP is over in 20 ~40 ( 2:25 ~ 4:40)  My target is before lunch!
　　13 IPv6( 10 min)
13-1 draw a sipmple diagram ( 1 min)
13-2 Watch out link local address over FR multilink.
        SLA ID is 4th 16bit
        16bit:16bit:16bit:SLA ID(16 bit) : interface ID( 64 bits)
         site-local = FEC0::
         link-local = fe80::
13-3 Check a full reachability using tcl script or just manual ping depneding on the number router.
　　IPv6 is over 10 min  ( total 2:35 ~ 4 :50)
　　################## Core routing is done #################### I should have at least 3 hours to go at least.
　　Strategy will change depending how much time I have at this moment.
　　14 I would do multicast first ( 15 min)
14-1 Mark a Mcast topology with red high lighter on OSPF drawing.
14-2 Determine mcast topology ( dense-mode, static RP pim sparse, Auto-rp/MA, pim V2 bsr,  Auto-rp/MA/MSDP).
14-3 Configure router-by-router
14-4 valildate it
14-5 If second part is difficult, skip by making a note.
　　15 IOS/IP service
Be careful not to block or drop any IGP updates 15-1, just check quikcly and do easy one first.
15-2, skip difficult task by making a note
　　16 QoS
Be careful not to block or drop any IGP updates
16-1 Draw a flow on paper instead of in brain.
16-2 Always determine classification method( ACL, NBAR) and direction.
16-3 Determine shaping vs policing
16-4 Consider all options for queuing( legacy custom/priority, bandwidth/priority, shape average/peak, FRTS/GTS)
16-5 consider all options for policing ( police, rate-limit, ip multicast rate-limit, aggregate police( 3550))
16-6 If frame-relay, don't forget adaptive-shaping.( becn, fecn, foresight)
16-7 Consider all droping mode (random detect, ecn, tail drop, marking, etc)
　　17 Security
Be careful not to block or drop any IGP updates
17-1 Draw a flow on paper instead of in brain.
17-2 Consdier all options for classification std/ext/reflexive/dynamic ACL, IP insepct, tcp intercept unicast RFP, ip accouting output packet /access-violation/precedence,
　　17-2 When configuring Switchport port-security mac-address, be careful to include vurtual and physical mac if HSRP is running.
　　18 DLSW
18.1 Draw a qucik topology ( 1 min)
18.2 Decide method of DLSW TCP, fst, fr.( I think only TCP will show up)
      Peer on-demand( group/border)
      Dynamic peering ( dynamic)
      Loadbalance (round-robin, circuit-count),
      Back-up ( back-up peer or cost)
      DSLW use tcp 2065 and udp 2067
      NAT can affect DLSW ( higher ip DLSW peer drops)
18.3 decide type of filtering
18-3-1 Netbios name filter( netbios access-list host xyz permit zyx )
         Icanreach/icannotreach netbios-name /netbiosexclusive
　　18-3-2 MAC address filer ( access-list 700-799,  mac-address conevrsion needed )
         Icanreach/icannotreach mac-address/mac-exclusive( address conversion)
　　18-3-3 LSAP filter ( access-list 200-299 permit )
              SNA only "access-list 200 permit 0x0000 0x0d0d"
              SNA and Netbios " access-list 200 permit 0xf0f0 0x0101
         Icanreach/icannotreach saps
               icannotreach saps  f0  ( deny netbios)