Passed v5 written - my thoughts

1356

Comments

  • Lucas21Lucas21 Member Posts: 46 ■■□□□□□□□□
    lrb wrote: »
    Turns out work has asked me to help with an ACI design for one of our overseas US customers. Bad part is that I will be flying back the day before my lab which means I'm going to have to use the last day almost entirely for trying to catch up on sleep rather than reading my notes.

    US to Australia flight the day before CCIE lab? I'm assuming you absolutely couldn't shuffle it around or opt out somehow.
  • lrblrb Member Posts: 526
    jamesp1983 wrote: »
    Good luck! I'm interested in those features so I would love to check out your homemade labs.

    No probs James I will do that on the weekend when I'm back home.
    Lucas21 wrote: »
    US to Australia flight the day before CCIE lab? I'm assuming you absolutely couldn't shuffle it around or opt out somehow.

    Unfortunately not - I'm the lead engineer for my team and this is a big money client so I'll just have to do what I can. I am feeling pretty good about how knowledge and speed is at the moment so I will just keep hammering labs as much as I can until my exam date and pray that the Cisco gods are nice to me that day :)
  • lrblrb Member Posts: 526
    I haevn't done a whole lot of EEM for the real world but today we needed to change the VRF on one of the interfaces that we used to get into a router at a remote site, and obviously once you change the VRF membership of an interface it clears the IP addresses from the interface meaning that we would have lost connectivity to the router and had to wait for a scheduled reload which would cause downtime for a lot of the customers hanging off that router.

    So instead I wrote a small EEM applet to batch the configuration of the VRF and IP address settings, which meant that only our SSH connection would be dropped but we would be able to get back onto the router.
    event manager applet CHANGE_VRF
     event none
     action 1 cli command "enable"
     action 2 cli command "configure terminal"
     action 3 cli command "int s2/0"
     action 4 cli command "vrf forwarding CUST_B"
     action 5 cli command "ip address 10.0.0.1 255.255.255.254"
     action 6 cli command "end"
    

    And run it from enable mode as follows
    R2#event manager run CHANGE_VRF
    

    Might seem like a pretty basic EEM applet but it saved us our skins today!
  • lrblrb Member Posts: 526
    Only 1 hour tonight:

    1) OSPF filtering from Narbik's workbook. No dramas here except that I forgot to claer the OSPF process on some of the routers after issuing the command ip ospf database-filter all out and I couldn't work out why the LSDB was still populated with LSAs.
  • lrblrb Member Posts: 526
    2.5 hours tonight:

    1) More OSPF filtering using route-maps and tags.

    2) BGP route automatic-tag feature. This is a really cool feature to preserve some of the important BGP attributes when a prefix is redistributed out of BGP and then back into BGP somewhere else, and not something I'd come across until I was reviewing everything again in Naribk's workbook. Some more info is here for anyone particularly interested: CCIE Blog » Blog Archive » BGP automatic-tag & as-path tag

    3) When through all of the BGP summarization options and inject maps one more time. Nothing too tricky here, except I needto remember to use the set command rather than the match command in the inject MAP which for some reason I always forget.

    4) Went through Narbik's standard communities labs again.

    13 days to go :)
  • bharvey92bharvey92 Member Posts: 420 ■■■□□□□□□□
    Fantastic read lrb! Will be keeping a close eye on your progress and your outcome result :)
    2018 Goal: CCIE Written [ ]
  • lrblrb Member Posts: 526
    bharvey92 wrote: »
    Fantastic read lrb! Will be keeping a close eye on your progress and your outcome result icon_smile.gif

    Thanks mate!

    Another 4 hours tonight:

    1) Went over all of the INE workbook for MST, including basic config, config with VTPv3, and traffic engineering

    2) Went through all of the INE EIGRP filtering tasks, including AD, per-prefix AD, route-maps, ACLs with discontiguous wildcard masks, and prefix lists

    3) Went through all of Narbik's BGP attributes tasks

    4) BGP dynamic neighbours

    All of the workload tonight felt very good, I'm going to hit Narbik's TS tasks pretty hard this weekend depending on how my next mock lab tomorrow goes. At this stage I feel pretty confident for the config section of the lab, slightly nervous about the TS section and how many completely unrealistic scenarios they will throw at me, and as for the diag section well I have no idea really! Out of most of the people I have talked to not one of them has actually finished the diag section due to an excess of information, but still passed the section anyway.
  • lrblrb Member Posts: 526
    4 hours today:

    1) A full TS lab from 360 which I found much easier than the INE TS labs. I found most of these labs pretty easy to diagnose just by the messages that were being printed to the console. For example, if you see this error:
    *Nov  8 06:18:35.157: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel13 - looped chain attempting to stack
    R3#
    *Nov  8 06:18:36.661: %TUN-5-RECURDOWN: Tunnel13 temporarily disabled due to recursive routing
    *Nov  8 06:18:36.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel13, changed state to down
    

    You can pretty much guess that the problem is due to learning the tunnel underlay addresses through the tunnel itself, causing a recursive routing error.

    2) Completed about an hour of BGP regular expression labs. I had never actually seen the command bgp regex deterministic up until today. From what I read on Cisco and stack exchange, this can vastly improve the run time of complex regular expressions at the expense of taking longer for more simple ones. Out of curiosity I wrote a small python script to connect to a router and measure the time taken to compute show ip bgp regexp with varying combinations of regular expressions, particulraly those that use the \1 backreference to store a previous evaluation in the regular expression (e.g. to detect customers performing AS path prepending). No matter how complex I made the regexp's or how many entries in the BGP table the command had to evaluate, I could not find much difference.

    3) Completed the GRE section of Narbik's workbook.

    4) Went through a bunch of BGP timers, optimizations, and conditional default routing
  • Lucas21Lucas21 Member Posts: 46 ■■□□□□□□□□
    Please share how you did Netflow using IOU if you got the time.

    I'd also like some of your labs if you don't mind sharing. And hopefully a writeup on your lab strategies.
  • lrblrb Member Posts: 526
    Argh! My flight home has been delayed until tonight so I've been sitting in the airport for the last few hours waiting for a seat to come up.
    Lucas21 wrote: »
    I'd also like some of your labs if you don't mind sharing.

    I've been playing around with this lab i made up in IOU a few days ago. I wouldn't say its overly tough, the tricky part is the NAT component that is hiding the hub router (spokes behind NAT are much easier to handle). I've made up a PDF in LucidDraw which I haven't used up until now so excuse any shoddiness icon_wink.gif Let me know if there are any major mistakes and I will fix them up.

    DMVPN Lab #33.pdf

    As for NetFlow mine seems to work for local export and top talkers just fine. If you go ip flow? in global config does nothing show up?
  • lrblrb Member Posts: 526
    Here's one of my BGP labs on multipath too for anyone who is interested.

    BGP Multipath Lab #2.pdf
  • Lucas21Lucas21 Member Posts: 46 ■■□□□□□□□□
    Nothing shoddy about that pdf. Thanks for sharing. Even though some of the concepts I'm yet to learn about.

    I hadn't got to the Netflow section of the workbook, however, I misunderstood your wording to mean that it was tricky in IOU and you'd figured it out.
  • lrblrb Member Posts: 526
    Oh I see what you mean now. None of the ip flow-... commands appear to work in the INE topology on their CSR setup, which is why all of the NetFlow tasks are marked as "Pending Update". The NetFlow commands work just fine however in IOU.
    R3(config)#ip flow?
    flow-aggregation  flow-cache        flow-capture  flow-egress
    flow-export       flow-top-talkers
    
  • lrblrb Member Posts: 526
    Well I'm finally home and managed to get 3 ours of study done between the plane ride and before boarding.

    1) Skimmed over the VPN chapter from MPLS Fundamentals to make sure there is nothing I'm missing. Unless they throw something super crazy at me in the lab I don't think I'll have a problem with MPLS. I found the CCNP SP track harder than the CCIE for MPLS, especially CsC, TE, and inter-AS VPNs which are in SPEDGE/SPCORE.

    2) I completed my DMVPN/IPsec/NAT/VRF lab that I posted earlier. I tried a few variations, with having the spokes behind a NAT device and the hub behind a NAT device and I found it harder to get to work with the hub behind NAT scenario, due to the fact that the spokes already have the NBMA/overlay mapping of the NHS so it doesn't matter if they are hidden behind a NAT device, the hub will simply see the source IP address differ from the IP address in the NHRP packet (which is why/how you get the Claimed NBMA Address output in show ip nhrp).

    3) Reviewed a bunch of notes I have on IOS DNS and DHCP/DHCPv6 server. Tomorrow I will probably wake up early and try and knock out some PPP, DNS, and DHCP homemade labs.

    I also converted my BGP/MPLS optimizations lab to Lucidchart.

    BGP and MPLS Path Optimizations Lab #1.pdf
  • lrblrb Member Posts: 526
    3.5 hours today

    1) DHCP Snooping, IPSG, and DAI. For DAI and IPSG I went over the cases both where you can use the DHCP snooping DB and the case where you need to use static bindings of some sort (ARP ACL, static IPSG bindings)

    2) Went over the case where the spoke routers in a DMVPN are using either PPPoE or PPP to provide the underlay connectivity. I have a lab for this too which I can post later.

    3) Went over a stack of DHCP notes and configs, including relay option, DHCP address classes matching on subscriber-IDs, and a few other various things.

    10 sleeps now :)
  • silver145silver145 Member Posts: 265 ■■□□□□□□□□
    Looking good?

    Give us an update on how you are feeeeeeeeeeeeeling.

    Nervous? how you relaxing? ETC :) - will be useful for us all!
  • Dieg0MDieg0M Member Posts: 861
    Best of luck man!
    Follow my CCDE journey at www.routingnull0.com
  • lrblrb Member Posts: 526
    silver145 wrote: »
    Looking good?

    Give us an update on how you are feeeeeeeeeeeeeling.

    Nervous? how you relaxing? ETC :) - will be useful for us all!

    Yeah a little nervous, especially about the TS section. They could be really nasty (e.g. some weird scenario where NAT on a stick needs to be used but is now not working) or they could be kind (mismatched passwords, ACL blocking traffic). In my head I've mentally prepared to use the whole 2.5 hours which makes me feel a bit more at ease.

    Works been pretty stressful lately, and all of my work time has been about finalizing the ACI design for one of our customers. I have to fly out in a few days so it means I'll have one full mock lab session before my real lab.

    Relaxing? Hmm, maybe watching an INE ATC video lying on the couch rather than sitting at my PC icon_wink.gif

    I'll try and hit the following areas throughout the next week which I think could tirp me up in the exam:
    1) EIGRP traffic engineering and unequal cost
    2) DHCP snooping with option 82
    3) Some of the L2 security features as VACL, PVLAN (although I'm not overly concerned with this, it's only 5% of the blueprint)
    4) Auto-RP and Auto-RP listener (although I think if Cisco tried to make the exam more "real world" they would use BSR)
  • lrblrb Member Posts: 526
    I just completed the first two chapters (Layer 2) of Narbik's new TS workbook... well worth the cash!
  • lrblrb Member Posts: 526
    About 6 hours today:

    1) Did a homemade lab on OSPF using GRE tunnels, virtual-links, DCs, and authentication.

    2) From Narbik's v5 TS workbook I completed both L2 labs (~8 tasks each), RIP, EIGRP, and OSPF. Doing these labs has given me a lot more confidence in preparation for the TS component of the lab. I still have about 250 pages left of TS tickets left to go from a 450 page book.
  • lrblrb Member Posts: 526
    Useful command to see the locally configured BGP policies applied to a neighbour:
    R1#show ip bgp neighbors 3.14.231.23 policy detail 
     Neighbor: 3.14.231.23, Address-Family: IPv4 Unicast
     Locally configured policies:
      filter-list 1 out
    
     Neighbor: 3.14.231.23, Address-Family: IPv4 Unicast <detail>
     Locally configured policies:
      filter-list 1 out
    AS path access list 1
        permit ^$
    
    
  • lrblrb Member Posts: 526
    Another 6 or so hours today in and around a long day of work getting my ACI presentation ready:

    1) Completed the BGP section of Narbik's v5 TS workbook. A lot of the questions involved problems with peering and filtering where you only have access to one of the devices, so you have to rely on a lot of debugs (conditional debugs in particular) to isolate the problem.

    2) Completed full mock labs 1, 2, and 3 from the same workbook. Some tricky questions throughout these, but not as overly complicated as INE's TS workbook.

    I will finish up labs 4 and 5, and the MPLS sections tomorrow! 8 sleeps to go now icon_cheers.gif

    I've had a few people PM me about what materials I've used throughout my CCIE studies so I will I will provide that later tonight in this thread
  • lrblrb Member Posts: 526
    My materials used throughout preparing for the written and the lab. Hope this helps anyone just starting out :)

    Reading:
    1) TCP/IP Volume 1
    2) TCP/IP Volume 2
    3) MPLS Fundamentals
    4) Cisco Express Forwarding (Only read a few chapters)
    5) IPv6 Fundamentals
    6) Interdomain Multicast Routing
    7) QoS official cert guide
    8.) Cisco LAN Switching
    9) Various RFCs and Cisco docs
    10) Internet Routing Architectures

    Videos:
    1) INE R&S ATCv5 (watched pretty much all of them)
    2) INE R&S ATCv4 (didn't watch all of them; i really only wanted to watch the IP services parts)

    Workbooks:
    1) INE R&Sv4 Vol 1 (minus Frame Relay and QoS)
    2) INE R&Sv5 protocol labs (went through every lab at least once, but for the core stuff I've been over several times)
    3) Narbik's v4 advanced technologies workbook (for stuff that WASN'T in the v5)
    4) Narbik's v5 advanced technologies workbook
    5) Narbik's v5 TS workbook

    Bootcamps:
    1) Narbik's 10-day R&S bootcamp

    Mock Labs:
    1) INE R&S mock lab 1 and 2
    2) A few 360 (don't remember which numbers but they weren't too bad)
    3) INE R&S TS lab 1 and 2

    "equipment" used for labbing:
    1) Web-IOU (can't stress how much I like this)
    2) GNS3
    3) About six 1800's and a few 3650's (although I rarely use these as I much prefer to just boot IOU)
    4) INE's v4 and v5 setups
    5) Narbik's setup which is available for renting

    Total expenses:
    1) Mysafari subscription: $100 for a year
    2) Narbik's 10-day bootcamp: $3750
    3) INE all access pass: $1999 for 2 years + 2000 tokens
    4) Lab booking: ~$2000 (AUD)
    5) Written: $400? (AUD)
    6) Narbik's 30-day rack rental: $300
    7) Flights/accomm: About $500
  • lrblrb Member Posts: 526
    4 hours today:

    1) Completed labs 4 and 5 of Narbik's TSv5 workbook

    2) Completed the two MPLS scenario's. These two scenario's were really good, especially as there's lots of things that can go wrong in an L3VPN, especially if the lab is really nasty icon_surprised.gif To name just a few:
    - CEF disabled
    - LDP discovery failure
    - LDP auth failure
    - Label filters
    - Routes not getting redistributed into BGP
    - Mismatched RTs
    - SoO
    - Domain tagging
    - Not host routes for PE routers
    - and so forth..........
  • lrblrb Member Posts: 526
    So I was reviewing my CCIE online confirmation email just to make sure I have everything I need to bring to the lab, and noticed this point:

    5. The temperature in the lab can be cold, so wear casual layered clothing.

    Not to be undone by Cisco trying to put me off in the lab due to the cold, I did a small mock lab while having their air conditioning set at 18 degrees C (64 F) which is cold as I could get it :) Now I know why people say to bring a jumper to the lab.. my hands were freezing!
  • MrBrianMrBrian Member Posts: 520
    Hahaha.. nice. That's dedication and preparation taken seriously.
    Currently reading: Internet Routing Architectures by Halabi
  • lrblrb Member Posts: 526
    Haha, anything for that number mate!
  • gorebrushgorebrush Member Posts: 2,743 ■■■■■■■□□□
    Hmm I don't usually feel the cold in my torso. Though as I am recently a new cyclist - I own fingerless gloves. Perhaps they will keep my hands warm. My fingers will be kept warm by the insane speed I'll be having to type at...

    Also, 6 days to go! Good luck! I was going to say I was rooting for you, but I believe that has a very different meaning to an Australian...
  • lrblrb Member Posts: 526
    Ahahaha well I appreciate the kinds words either way! Yesterday was actually the last full day of studying I'll probably get in before my lab. All the rest will be here and there study while I'm away.

    I spent yesterday pretty much entirely at my computer building random topologies, trying to break them, and then seeing what flow on effect this had. I tried to jam as many technologies into the topologies as I possibly could (e.g. not using ethernet links all the time, always using PPP or PPPoE to make things harder) If i had to guess I would say I spent about 10 hours doing this.
  • lrblrb Member Posts: 526
    Not a whole lot of study today due to travel.. Did some basic L2 diagrams on the plane from a topology I had in lucidchart and then configured some ACLs and NAT with DMVPN. Mostly the same as one of the labs I wrote up earlier, but if the hub is behind a NAT device you will need to have a static NAT binding for UDP500 (ISAKMP) and UDP4500 (NAT-T) maps the inside local (the DMVPN hub) address to the inside global address (the NAT device's outside interface). You will also need to use transport mode IPsec ESP or AH as well.
Sign In or Register to comment.