Passed v5 written - my thoughts

lrblrb Member Posts: 526
So I passed the written v5 today with a pretty good score but I would not say it was an easy exam. There were a lot of "trivial pursuit" style questions where you just simply had to recall some default settings in IOS (obviously can't say much more than that due to NDA) which I find is just silly on a CCIE exam. In the real world if I want to see some particular default value I will use a show command to find it out. And don't skimp out on studying the "written only" topics like PfR, GET VPN, etc, like I did because this could come back to bite you.

Oh well, I've got that over and done with now so it's onto the CCIE lab in about 8 weeks I guess icon_study.gif.

I really only used routing TCP/IP vol1 and vol2 and cisco.com. With the new exam objectives, it's really easy to work out what you need to study. I pretty much picked one or two topics to study a night after work, and labbed then documented my findings using IOU and Evernote. I probably studied for about 8 weeks for about 3 hours a night and maybe 15 hours over the weekends. When I labbed, I would pretty much try to tweak any settings I possibly could to see how that affected things using debug/show/pcaps.

Once I've had a few days to finish Watch Dogs on the PS4 I will get back into the swing of things and start going over Narbik's workbooks (all the way from fundamentals to the advanced technologies and troubleshooting ones) and then probably purchase a few full-scale test labs from 360 or whatever it's called now.

Happy to provide more info on how I prepared for the exam if anyone wants it.
«13456

Comments

  • lrblrb Member Posts: 526
    Actually one side note, if you have just recently finished your CCNP and properly studied for the SWITCH exam, you should definately begin studying for the CCIE right away because there is not a lot of difference in CCIE and CCNP level L2 knowledge in my opinion. Maybe VTPv3 and MST might be the only extra bits.
  • jamesp1983jamesp1983 Member Posts: 2,475 ■■■■□□□□□□
    Congratulations and thanks for the info.
    "Check both the destination and return path when a route fails." "Switches create a network. Routers connect networks."
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Congrats!
    An expert is a man who has made all the mistakes which can be made.
  • Dieg0MDieg0M Member Posts: 861
    Congrats
    Follow my CCDE journey at www.routingnull0.com
  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    Why do I get the sneaking suspicion you are setting yourself up for a rude awakening? Perhaps you didn't layout your full training resources but if I am to take it as you wrote it, then I shudder to think how this will end for you.

    "I really only used routing TCP/IP vol1 and vol2 and cisco.com. With the new exam objectives, it's really easy to work out what you need to study. "

    I wish you the best of luck, I really do but there is a reason it seems nobody is sitting the v5 lab right now. I know of two lab attempts in the last 4 months and while there not one person was sitting R/S which is unheard of but it's due to the changes. I am anxious to hear what the new Diagnostics portion is like.
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • tomtom1tomtom1 Member Posts: 375
    lrb wrote: »
    Happy to provide more info on how I prepared for the exam if anyone wants it.

    That's always welcome :)
  • Dieg0MDieg0M Member Posts: 861
    @Routemypacket, I know two person who have sit it. Both failed but not because of knowledge :)
    Follow my CCDE journey at www.routingnull0.com
  • lrblrb Member Posts: 526
    Why do I get the sneaking suspicion you are setting yourself up for a rude awakening? Perhaps you didn't layout your full training resources but if I am to take it as you wrote it, then I shudder to think how this will end for you.

    As I said, after Cisco came out with their exam transparency initiative I think it's made studying for this a lot more clearer about what things they are looking to test on. I remember the old BSCI exam objectives were like "Configure, verify, and troubleshoot OSPF" and so you were always stuck trying to figure out where to focus most of your efforts on. At least with the new blueprint you can think "okay, they have clearly stated that they are testing on stubs, NSSA, transit capability, virtual link, LFA, etc". And with me personally, I don't remember things just from reading as I would if I started from the ground up on a topic and labbed it up and watched every single debug line and tried to figure out myself what was going on". But yes those three resources I mentioned were the only real ones I read, other than whatever links came out of googling e.g. NHRP shortcut and seeing reading some blogs or articles on whichever site I thought gave me the best info for something I was having trouble understanding.

    But I'm 100% with you on being nervous about the lab horror stories that I've heard. I asked Bruno (CCIE R&S program manager) at Cisco Live this year if these were anything like the old OEQs and he said absolutely not. However, I don't want to get burned because my methodology for diagnosing a problem with the resources I have is different from Bruno's (and obviously all of the other people who work very hard on the CCIE program).

    I should also mention my aggressive timeline is because I'm changing jobs in about 10 weeks to be a senior security engineer so my day-to-day at-work activities that contribute to my R&S study will pretty much stop for about a year while I'm on this project. For the last 6 months and the next 10 weeks I pretty much work solely with DMVPN, IPsec and MPLS for customers. Working with DMVPN for customers in Australia has actually made me appreciate RIP again icon_lol.gif
  • JeanMJeanM Member Posts: 1,117
    Congrats to you sir! I imagine you've read lots of other material (NP/IP stuff) and your hands-on experience also helped your case :)
    2015 goals - ccna voice / vmware vcp.
  • gorebrushgorebrush Member Posts: 2,743 ■■■■■■■□□□
    Sounds like the experience is counting for an awful lot in this case.

    Good job!
  • jamesp1983jamesp1983 Member Posts: 2,475 ■■■■□□□□□□
    I wish you the best of luck, I really do but there is a reason it seems nobody is sitting the v5 lab right now. I know of two lab attempts in the last 4 months and while there not one person was sitting R/S which is unheard of but it's due to the changes. I am anxious to hear what the new Diagnostics portion is like.


    I have seen a few v5 attempts on ieoc.com. All will be retaking it unfortunately.
    "Check both the destination and return path when a route fails." "Switches create a network. Routers connect networks."
  • lrblrb Member Posts: 526
    jamesp1983 wrote: »
    I have seen a few v5 attempts on ieoc.com. All will be retaking it unfortunately.

    Yes I have seen the same thing happening. I usually look at the "Success Stories" subforum and there haven't been any v5 passes (unless I missed them).
  • ccnpninjaccnpninja Member Posts: 1,010 ■■■□□□□□□□
  • lrblrb Member Posts: 526
    Anyone going to Narbik's 10 day bootcamp in Sydney Australia in november?
  • lrblrb Member Posts: 526
    Has anyone gotten stateful DHCPv6 client to work properly in IOS? When I run the command ipv6 address dhcp the router doesn't send the SOLICIT messages to the FF02::1:2 address even after it receives the RA message from the local router that has the M bit set.

    ipv6 address autoconfig works however if I set the ipv6 nd other-config-flag command on the router to set the O bit but this doesn't solve my issue with trying to get stateful DHCPv6 to work.

    I have done nothing but this stupid task for about the last 2 hours and I'm prepared to blame this on an IOU bug icon_silent.gif
  • lrblrb Member Posts: 526
    Well no later than I post that I figured out I need the ipv6 enable command under the interface otherwise it won't create the link-local address to send the SOLICITs from. I'm so used to configuringstatic addresses on the interfaces and having the link locals assigned automatically without me habving to type that command that I forgot all about it. It wasn't on the configuration guide though that the command was required.

    So incase anyone doesn't want to become frustrated at DHCPv6 like me, if you want to configure IOS as a DHCPv6 client use the following commands.
    R1(config)#int e0/0
    R1(config-if)#ipv6 enable 
    R1(config-if)#ipv6 address dhcp
    
  • lrblrb Member Posts: 526
    Been travelling a lot lately with conferences, site visits, etc, so haven't had a lot of time for study outside of work, but my lab is booked in for 20/11/2014 in Sydney! I've switched my study from discrete technology study (INEv5 workbook, Narbiks book) to simply testing out as many different scenarios as I can (DMVPN with PAT in between, IPv6 BGP neighbours with VPNv4 route target constraint and OSPF prefix suppression, etc). If I have the time I might start updating this thread with more regular updates.

    When you guys have been doing mocks, what kind of drawings do you typically do at the start? IP addressing, layer 2, routing protocols?
  • lrblrb Member Posts: 526
    2.5 hours tonight:

    1) Narbik's v4 workbook: OSPF filtering with prefix lists, summarizing with the no-advertise option, AD changes, LSA filtering, etc. Made a few errors with the Summary LSA filtering between areas in relation to the in and out keywords.

    2) Some more IPsec/DMVPN practice with Phase 3 (shortcut/redirect)

    3) Narbik's v4 workbook: OSPF NSSA suppress-FA, NSSA default routing, and OSPF over DMVPN
  • Dieg0MDieg0M Member Posts: 861
    lrb wrote: »
    When you guys have been doing mocks, what kind of drawings do you typically do at the start? IP addressing, layer 2, routing protocols?

    I used to draw just IP addressing and routing protocols real quick but I heard that in the V5 you don't even have time to do IP addressing so it is better just to sketch out the routers and routing protocol without interface and IP addresses.
    Follow my CCDE journey at www.routingnull0.com
  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    Good luck mate, barracking for ya! Go bring it home!!
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
  • lrblrb Member Posts: 526
    Essendon wrote: »
    Good luck mate, barracking for ya! Go bring it home!!

    Thanks mate!

    Started tonight with some redistribution from Naribik's workbook. In an effort to make sure I know how to do things as well in named-mode EIGRP as I do classic EIGRP, I did the redistribution into EIGRP tasks with named-mode. However, don't fall into the habit I do with your defualt metrics.

    Example:
    router eigrp CCIE
     add ipv4 as 100
      net 10.1.14.0 0.0.0.255
     top base
      redistr rip route-map RIP->EIGRP metric 1 1 1 1 1
    

    Will result in other routers in the EIGRP AS with an inacessible distance to the redistributed network.
  • lrblrb Member Posts: 526
    After about another 2 hours, finally got through Narbik's redistribution section from his v4 Vol1 workbook. I found this much much harder than any of the INE redistribution labs but I like the way Narbik's labs are setup intentionally with restrictions (i.e. no tunnelling to connect non-backbone areas to the backbone over a stub, get RIP routers to exchange routes that aren't on the same subnet without using xconnects, etc ) which makes you definately think outside the box for solutions.

    Anyway that's another 3 hours in the book tonight
  • lrblrb Member Posts: 526
    Started again tonight with a small redistribution lab and preventing loops with tags.

    For anyone who doesn't have a good process of which tags to use and knowing how to set up the filtering, I use something similar to this:
    route-map RIP->OSPF d 10
     match tag 110
    route-map RIP->OSPF p 1000
     set tag 120
    
    route-map OSPF->RIP d 10
     match tag 120
    route-map OSPF->RIP p 1000
     set tag 110
    
    router ospf 1
     redistr rip sub route-map RIP->OSPF
    
    router rip
     redistr ospf 1 route-map OSPF->RIP metric 5
    

    I set the tag to the default AD of the source routing protocol in the redistribution config. For example, when I'm redistributing RIP to OSPF, I set the tag to 120 and all other routers who are performing OSPF to RIP redistirbution are configured to deny routes with tag 120 because these routes are assumed to have been originated in the RIP domain.

    Hopefully this should help with speed in a redistribution task on the lab
  • lrblrb Member Posts: 526
    Nearly 4 hours tonight:

    1) Completed nearly 200 pages of MPLS from Narbik's workbook (Basics, LDP, L3VPN, PE-CE routing); nothing too hard here except that if you are using the OSPF as the IGP within the SP network it is much easier to use the command prefix-suppression under the OSPF process rather than using conditional label advertisement in my opinion. If the routes aren't in the RIB, LDP can't create bindings for them!

    2) Completed INE labs for PPP, CHAP/PAP, PPPoE, and MLPPP. Missed one command under the virtual-template interface which took me a while to find in the documentation
  • lrblrb Member Posts: 526
    Another 4 hours in the books today:

    1) Shared services MPLS VPN, Internet in a VRF, mainly from Narbik's workbook again and INE

    2) Went over all of the IPv6 sections in Narbiks workbook

    3) IPv6 prefix suppression

    4) BGP with IPv6 transport endpoints

    IPv6 is probably my slowest area at the moment in terms of setting up IGPs, BGP, typing in the addresses, etc at the moment. I'm trying to move away from using IP version-dependent OSPF and starting to use multi-AF OSPF as much as possible. Hopefully this might save me some time on the lab if there are some routers which are needing to run both OSPFv2 and OSPFv3
  • lrblrb Member Posts: 526
    Started off this afternoon with some more Phase 2 IPv6 DMVPN over an IPv4 underlay. Thankfully all of the NHRP commands work the same in IPv6 as they do in IPv4; the only real difference is the NBMA to overlay mapping is obviously IPv6 to IPv4.

    E.g.
    interface Tunnel100
     no ip address
     no ip redirects
     ipv6 address FE80::2 link-local
     ipv6 address 10:1:123::2/64
     ipv6 nhrp authentication Pass??
     ipv6 nhrp map multicast 169.254.100.1
     ipv6 nhrp map 10:1:123::1/128 169.254.100.1
     ipv6 nhrp network-id 123
     ipv6 nhrp nhs 10:1:123::1
     tunnel source Serial2/0
     tunnel mode gre multipoint
    

    The verification commands are almost exactly the same too.
    R1#show dmvpn
    Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
            N - NATed, L - Local, X - No Socket
            # Ent --> Number of NHRP entries with same NBMA peer
            NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
            UpDn Time --> Up or Down Time for a Tunnel
    ==========================================================================
    
    Interface: Tunnel100, IPv6 NHRP Details 
    Type:Hub, Total NBMA Peers (v4/v6): 2
        1.Peer NBMA Address: 169.254.12.2
            Tunnel IPv6 Address: 10:1:123::2
            IPv6 Target Network: 10:1:123::2/128
            # Ent: 1, Status: UP, UpDn Time: 00:04:57, Cache Attrib: D
        2.Peer NBMA Address: 169.254.13.3
            Tunnel IPv6 Address: 10:1:123::3
            IPv6 Target Network: 10:1:123::3/128
            # Ent: 1, Status: UP, UpDn Time: 00:02:09, Cache Attrib: D
    

    Also, the NRHP network IDs do not have to match between spokes and a hub in a single-hub DMVPN design.
  • lrblrb Member Posts: 526
    So one of the junior NOC guys called me up today to verify his work for a customer that told us that he could still see labels when he used traceroute to ping routers at his other sites. I looked over his work and he had had correctly used the no mpls ip propagate-ttl forwarded command to stop the PE routers from copying the IP TTL to to the MPLS TTL and causing the packets to expire within our network. However, when he tested this out we could see that the egress PE router always expired the packet and included the label stack in the time exceeded message that it sent.

    I set something similar to our setup in IOU and tested a ping from R1 to R5 (both CE routers; loopback 1.1.1.1/32 and 5.5.5.5/32 respectively. Here are my findings.

    With propagate TTL on:

    R5#trace 1.1.1.1 source 5.5.5.5 num
    Type escape sequence to abort.
    Tracing the route to 1.1.1.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 10.1.45.4 0 msec 1 msec 0 msec
      2 10.1.34.3 [MPLS: Labels 17/19 Exp 0] 0 msec 1 msec 0 msec
      3 10.1.12.2 [MPLS: Label 19 Exp 0] 0 msec 1 msec 0 msec
      4 10.1.12.1 1 msec *  1 msec
    

    With propagate TTL off on both PE routers:

    R5#trace 1.1.1.1 source 5.5.5.5 numer
    Type escape sequence to abort.
    Tracing the route to 1.1.1.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 10.1.45.4 0 msec 0 msec 1 msec
      2 10.1.12.2 [B][MPLS: Label 19 Exp 0][/B] 1 msec 1 msec 1 msec
      3 10.1.12.1 1 msec *  1 msec
    

    So how do you get rid of the label on the egress PE router? I looked in MPLS Fundamentals and noticed something interesting in the "Troubleshooting MPLS" chapter on page 502. The cliffs of this are that if the outgoing VPN label is for a BGP aggregate route, the egress PE router has to perform an extra loopkup for the more specific network in the VRF table for the customer and because of this, can send the time exceeded message to the originating router than having to forward it to the customer to then have it come straight back. Because of this, the egress PE router doesn't include the label stack in the time exceeded message because it can send the message back to the original router itself.

    Configuration is as follows on the egress PE router (the one closest to the destination IP address in my traceroute commands)
    R2(config)#router bgp 1.1
    R2(config-router)#add ipv4 vrf R1_R5 
    R2(config-router-af)#aggregate-address 1.0.0.0 255.0.0.0 summ
    

    And now looking in the LFIB you can see that the outgoing VPN label (20) is for a BGP aggregate.
    R2#show mpls forward
    Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
    Label      Label      or Tunnel Id     Switched      interface              
    16         Pop Label  3.3.3.3/32       0             Et0/1      10.1.23.3   
    17         16         4.4.4.4/32       0             Et0/1      10.1.23.3   
    18         Pop Label  10.1.34.0/24     0             Et0/1      10.1.23.3   
    19         No Label   1.1.1.1/32[V]    15526         Et0/0      10.1.12.1   
    [B]20         No Label   1.0.0.0/8[V]     0             aggregate/R1_R5 [/B]
    

    As a result, the traceroute command now doesn't show any of the label stack.
    R5#trace 1.1.1.1 source 5.5.5.5 numer
    Type escape sequence to abort.
    Tracing the route to 1.1.1.1
    VRF info: (vrf in name/id, vrf out name/id)
      1 10.1.45.4 1 msec 0 msec 4 msec
    [B]  2 10.1.12.2 1 msec 0 msec 1 msec[/B]
      3 10.1.12.1 1 msec *  2 msec
    

    Hope that helps anyone else who runs into the same issue as us.
  • lrblrb Member Posts: 526
    Another 4 hours today:

    1) IPv6 DMVPN

    2) About half of the NAT questions in Narbik's workbook

    3) Some random stuff tasks as the MPLS traceroute from above, banners, and SSH

    4) BGP multipath, unequal-cost multipath with dmzlink-bw

    5) Cost community for pre-bestpath calculations

    I really wish INE would hurry up and get their CSRv rentals ready for the full-scale troubleshoot and config labs!
  • lrblrb Member Posts: 526
    3 hours today:

    1) Completed all of the NAT labs in the INE v5 workbook. FWIW I find INEs NAT labs a lot easier to go through then Narbik's ones.

    2) Stateful NAT with HSRP from Narbik's book

    3) NSSA translator election and NSSA traffic engineering from INEs workbooks

    I dunno if anyone has already done the INE v5 lab "OSPF NSSA Type-7 to Type-5 Translator Election" but from what I can tell a more elegant solution than the one in the solution is to use the following command:
    router ospf 1
     area 1 nssa translate type7 always
    

    Don't know if anyone else has an opinion on which one is better? Seems much less harfmul than having to set a new router ID and clear the OSPF instance
Sign In or Register to comment.