CCIE Sec Lab Diary - or how to make Ahriakin's brain implode

Ahriakin

Well the website came back and I got the passwords, the Access servers were reset so I guess it's a good thing this happened at the start. I'm just finishing up their Lab3 on my home setup so maybe I'll have time to do the ones I wanted to now.
Just frustrating.

Edit: Nope, belly up again. I'm done with them.

nel

Damn, sounds like a pain in the arse!

DOnt let it deter you, by the sounds of it your doing great Ahriakin. Keep up the good work man!

Ahriakin

Thanks, just whinging again, sh*t happens I should just deal with it.

Anyway.
I went through about 2/3 of the Cisco ASA Handbook yesterday and the IWEB Advanced Tech Class on AAA. Today was a little on Remotely Triggered Black Hole Filtering....which I FINALLY get, turns out it's not that complicated at all, just with so much BGP interaction I'd turned it into a kind of study boogeyman.

I'm just starting my last Lab session, IWEB lab 10, a 9/10 the toughest one in the book apparently. Should be fun

Ahriakin

Lab 10 (9/10) done.

That was tough, surprise surprise but not actually as bad as I thought it would be. Had it been real I would have probably failed it, but I'm placing my hope now in IWEBs claims that their Labs are harder than the real thing, well not 'all hope' as I know that is useless but it's part of my nature to always try and put everything where it can be referenced against something else. make sense? doesn't much to me re-reading it either, sorry the brain is fried.
Almost every task had an implied secondary, whether it was filtering devices in the way, or NAT, port remapping etc. The trickiest was setting up a second L2L VPN between the PIX and VPN3K, which of course you normally can't do. You had to translate both addresses on the intermediate Routers and use the translated IPs as the peers to fool each device into thinking it was talking to a totally different endpoint - I got the basic idea but wanted to check the solution guide to make sure I was on the right track before launching into a pretty lengthy configuration, and the guide was wrong, it didn't match the topology properly for one of the routers, fun, but the principle was sound.
This next one would have had the honour of 'trickiest' except it qualifies for downright evil instead - encrypting GRE tunnels between 2 routers, normally easy, but the question stated that there was to be no lifetime timeout....hadn't a clue...turns out you had to disable ISAKMP, the thing that every book says no one ever does and you should avoid (yes I know it's the lab and it's fair game ), and manually enter a pre-shared key in hex of equal length to the encryption algorithm, 3DES...honestly this one got ridiculous in it's depth. allowing for the fact that 3DES uses parity bits and subtracting them from the keying length etc. All for 3 points it easily tripled the config time (not to mention plain old brain exertion) for simply encrypting an easy to do GRE setup. All I can think of is the author wanted to show us that even if we got smug at having gotten through their hardest Sec lab so far that they still knew more . I didn't even bother trying to implement from the solution guide. If something like that pops up on the real thing it's 3 points I'll be happy to burn.
The ASA Webvpn and VPN3K NAC sections actually went okay this time. I spent a bit more time on them after the last lab. I'm not 100% on either but at least now I know enough to do the basics and have a stab at the more complex configs.
With each of the other labs as they moved up a difficulty level it usually meant adding the more complex technology areas, like moving from pure IPSec VPNs to adding WebVPN etc. This one however didn't really introduce much new material (barring a few very obscure routing configs (like forcing traceroute replies from a loopback)) it just meshed them together much more closely. At times it felt like walking a highwire, I'd keep checking my diagrams and memory to make sure that hitting enter wasn't about to make something else blow up. Stressful stuff. But it's meant to be, isn't it?

So that's it for the moment anyway, no more booked lab sessions. I need to do some home lab work on AAA privilege assignments from the AAA server and a little more on Inspection type Policy-maps (though I had problems in the Lab with 2 it actually 'clicked' while I was doing them, just need some more practice to solidify the understanding). Then do spot revision on anything that comes to mind. I fly out wed. so I have Thursday off. I know the common advice is don't study that day but I know I will, I'll just try not to stress over it and take it easy that day, finish up at dinner and hope the Hotel has a movie channel.


Anyone got any last minute advice for the trip itself? I've never been to San Jose. I'll be staying at the La Quinta just off the Airport and only a few miles from the Exam center.

GT-Rob

Not sure about others, but I plan to take sleeping pills the night before. Can't beat a good nights sleep!

I have also heard people say don't eat a heavy lunch. Maybe some fruit and salads and such.


Looks like some nice weather in San Jose (compared to here anyway), so enjoy it!

Turgon

Ahriakin wrote:

Lab 10 (9/10) done.

That was tough, surprise surprise but not actually as bad as I thought it would be. Had it been real I would have probably failed it, but I'm placing my hope now in IWEBs claims that their Labs are harder than the real thing, well not 'all hope' as I know that is useless but it's part of my nature to always try and put everything where it can be referenced against something else. make sense? doesn't much to me re-reading it either, sorry the brain is fried.
Almost every task had an implied secondary, whether it was filtering devices in the way, or NAT, port remapping etc. The trickiest was setting up a second L2L VPN between the PIX and VPN3K, which of course you normally can't do. You had to translate both addresses on the intermediate Routers and use the translated IPs as the peers to fool each device into thinking it was talking to a totally different endpoint - I got the basic idea but wanted to check the solution guide to make sure I was on the right track before launching into a pretty lengthy configuration, and the guide was wrong, it didn't match the topology properly for one of the routers, fun, but the principle was sound.
This next one would have had the honour of 'trickiest' except it qualifies for downright evil instead - encrypting GRE tunnels between 2 routers, normally easy, but the question stated that there was to be no lifetime timeout....hadn't a clue...turns out you had to disable ISAKMP, the thing that every book says no one ever does and you should avoid (yes I know it's the lab and it's fair game ), and manually enter a pre-shared key in hex of equal length to the encryption algorithm, 3DES...honestly this one got ridiculous in it's depth. allowing for the fact that 3DES uses parity bits and subtracting them from the keying length etc. All for 3 points it easily tripled the config time (not to mention plain old brain exertion) for simply encrypting an easy to do GRE setup. All I can think of is the author wanted to show us that even if we got smug at having gotten through their hardest Sec lab so far that they still knew more . I didn't even bother trying to implement from the solution guide. If something like that pops up on the real thing it's 3 points I'll be happy to burn.
The ASA Webvpn and VPN3K NAC sections actually went okay this time. I spent a bit more time on them after the last lab. I'm not 100% on either but at least now I know enough to do the basics and have a stab at the more complex configs.
With each of the other labs as they moved up a difficulty level it usually meant adding the more complex technology areas, like moving from pure IPSec VPNs to adding WebVPN etc. This one however didn't really introduce much new material (barring a few very obscure routing configs (like forcing traceroute replies from a loopback)) it just meshed them together much more closely. At times it felt like walking a highwire, I'd keep checking my diagrams and memory to make sure that hitting enter wasn't about to make something else blow up. Stressful stuff. But it's meant to be, isn't it?

So that's it for the moment anyway, no more booked lab sessions. I need to do some home lab work on AAA privilege assignments from the AAA server and a little more on Inspection type Policy-maps (though I had problems in the Lab with 2 it actually 'clicked' while I was doing them, just need some more practice to solidify the understanding). Then do spot revision on anything that comes to mind. I fly out wed. so I have Thursday off. I know the common advice is don't study that day but I know I will, I'll just try not to stress over it and take it easy that day, finish up at dinner and hope the Hotel has a movie channel.


Anyone got any last minute advice for the trip itself? I've never been to San Jose. I'll be staying at the La Quinta just off the Airport and only a few miles from the Exam center.

I have advice. There is nothing you can do now to improve your chances of passing the test but plenty you can do to reduce those chances. Get some rest now and start to get mentally ready for that exam. A few notes to turn over is fine but nothing more. Eat well and get plenty of sleep before the test.

Good luck.

dynamik

I have a special night-before-the-lab sleep-well drink. It's one party Nyquil and two parts vodka. You'll want to have it around 10am the day before, otherwise you might oversleep. Good luck!

GT-Rob

Turg: I love that philosophy. Its what I say to myself leading up to a race/triathlon. "theres nothing you can do in the last week to help you finish, but theres everything you can do to keep you from finishing"

Dyn: That sounds like death. And probably does the trick! :P

Ahriakin

Yup good advice. I took it easy this evening, logged in to catch up on some work adn then just watched a few recorded TV shows. I might do a few CBT modules tonight but that's about it.

Dynamik I'm Irish, there's no such thing as just '2 parts vodka' unless you're talking about my bloodtype . Actually plain old Benadryl does the trick for me, teeny sip of that stuff and I'm out for the count.

Ahriakin

Well the trip went fine, beautiful mountain view on the way in. The Hotel (the La Quinta just outside the airport and only about 3 miles from the Cisco offices) is very nice too. Not much in the way of movies though, I presumed they'd have a ppv channel and didn't bring much in the way of entertainment, just a few Dexter Season 2 episodes left. I ended up getting about 2 hours sleep last night (not nerves, just trying to slam-adjust back to daylight hours after working nights for so long) but it'll help me sleep well tonight. I'm probably going to do a quick run over the main Cisco Docs later, not intense study mainly to freshen up my map of knowledge and then some CBTs tomorrow - just a few With no movies I have to have something to do....

GT-Rob

Well its been said but good luck man! Really looking forward to hearing how it goes. I might book that hotel myself I think, as it looks like a decent location/price.

Ahriakin

It is a good choice, refurbished early this year and everything is still clean and new(ish), close to the airport (with a free shuttle), close to Cisco and a Burgerking at the far end of the parking lot that just finished filling yours truly with comfort food (I won't be doing that tomorrow, I don't have a deathwish but it was nice after the trip). If you're just here for the exam it's pretty much ideal.
I'm doing a quick run over the Cisco Docs for the IOS routing. I know my way around the security config (using 12.4 since the 12.2/12.3 docs are still in dissary online and most of the security syntax is the same for the Lab test features, barring IOS IPS) but hadn't done the same yet for R&S so it's a good opportunity in case I get something routing related that goes over my wee security focused head.

Ahriakin

Slept like a baby, for 12 hours . Even though it's right beside the airport the hotel is practically silent, nice work on the insulation. I spent the morning calling family and friends just catching up and am actually very relaxed. I watched the movie "Mongol" a few nights ago and the dialogue at the final battle I think explains why I'm not jittery anymore "I had nowhere to hide from the thunder so I had no reason to be afraid of it"...well I thought it was cool anyway , nicer than the modern day version of "well there's nothing more I can do now".
Lunch was pretty good, ordered from a local restaurant and had a Veggie Burger and Salad, with enough salad left over for a snack tonight, no heavy meals so I can sleep well again. The front desk said there shouldn't be a problem with Taxi's in the morning and will book one for 7:30. So fingers crossed I'm all set.

networker050184

Ahriakin wrote:

Slept like a baby, for 12 hours . Even though it's right beside the airport the hotel is practically silent, nice work on the insulation. I spent the morning calling family and friends just catching up and am actually very relaxed. I watched the movie "Mongol" a few nights ago and the dialogue at the final battle I think explains why I'm not jittery anymore "I had nowhere to hide from the thunder so I had no reason to be afraid of it"...well I thought it was cool anyway , nicer than the modern day version of "well there's nothing more I can do now".
Lunch was pretty good, ordered from a local restaurant and had a Veggie Burger and Salad, with enough salad left over for a snack tonight, no heavy meals so I can sleep well again. The front desk said there shouldn't be a problem with Taxi's in the morning and will book one for 7:30. So fingers crossed I'm all set.

Good luck man!

JohnDouglas

good luck.

gorebrush

I've been reading your efforts and commend you.

I hope that you pass

shednik

Best of luck Ahriakin!!

Mishra

Good luck! I wonder if the other CCIEs have been following this.

cblm123

Sooooo how was it? Hopefully you have your digits!!!

GT-Rob

He actually is probably just sitting down to his $1400 lunch right about now. And since its a Friday, he might not get his results for a couple of days!


We are rooting for ya!

Ahriakin

$1400 lunch AND a sticky name tag (Maybe I can cover up the 'Lab' part on the end of it that says CCIE)! Riches beyond words . Well I won't get the results until at least Monday night, I'll be travelling all day tomorrow and probably sleep most of Sunday but I reckon Monday will be a killer.
Once again guys thanks for all the support, it does help deal with the stress.

I can't really say much about the Lab itself but it was tough in ways I hadn't expected. I thought the actual tasks where a little easier and more straightforward than those in the last few mock labs I've done, but to balance it out there was more dependance between them which I didn't expect. Missing a config for one task really could scupper you for 2 or 3 down the line. I wasn't nuts about the candidate PCs either, mine started chugging along near the end (granted I had 10 different terminal sessions, about 5 instances of IE, and the IPS GUI running, but still ). As for the big question of how I think I did? I can't say for sure either way. I skipped 2 questions, one I knew most of but it made better sense to use the time to review my existing work at the end, the other I hadn't a clue and it didn't affect anything else. I finished my first run through by 4 O'clock but with 2 serious connectivity issues sitting behind the lines, thankfully a look back with fresh eyes and they got sorted quickly, which left me in a bit of a rush though going back and verifying a few tasks that needed those 2 done for full verification. I stopped completely and started reviewing with about 30 mins to go. I didn't have time to verify and re-read100% and there were lots of small details that were a pain to track so it's likely I missed (at least) a few that I thought were okay. I've no frame of reference for this so I'm afraid to make a guess as I could be WAY off. But we'll know in 3 days for better or worse.
There were 2 other guys sitting security today. One was an R&S CCIE, the other like me had gone straight to Security but he had already made an attempt in April. All of us were exhausted by the end of it, nobody left early.

Regardless of how it turns out the experience has been worth it. I'm a much better Cisco geek than I was a few months back and I got to see what the real deal was like (and still have that sticky name tag). If things don't work out then I'll likely re-book for Feb next year.

dynamik

Man, it's stressful just reading about it. Your nerves must be shot!

Well, best wishes; I'll be waiting on the edge of my seat!

Turgon

Ahriakin wrote:

$1400 lunch AND a sticky name tag (Maybe I can cover up the 'Lab' part on the end of it that says CCIE)! Riches beyond words . Well I won't get the results until at least Monday night, I'll be travelling all day tomorrow and probably sleep most of Sunday but I reckon Monday will be a killer.
Once again guys thanks for all the support, it does help deal with the stress.

I can't really say much about the Lab itself but it was tough in ways I hadn't expected. I thought the actual tasks where a little easier and more straightforward than those in the last few mock labs I've done, but to balance it out there was more dependance between them which I didn't expect. Missing a config for one task really could scupper you for 2 or 3 down the line. I wasn't nuts about the candidate PCs either, mine started chugging along near the end (granted I had 10 different terminal sessions, about 5 instances of IE, and the IPS GUI running, but still ). As for the big question of how I think I did? I can't say for sure either way. I skipped 2 questions, one I knew most of but it made better sense to use the time to review my existing work at the end, the other I hadn't a clue and it didn't affect anything else. I finished my first run through by 4 O'clock but with 2 serious connectivity issues sitting behind the lines, thankfully a look back with fresh eyes and they got sorted quickly, which left me in a bit of a rush though going back and verifying a few tasks that needed those 2 done for full verification. I stopped completely and started reviewing with about 30 mins to go. I didn't have time to verify and re-read100% and there were lots of small details that were a pain to track so it's likely I missed (at least) a few that I thought were okay. I've no frame of reference for this so I'm afraid to make a guess as I could be WAY off. But we'll know in 3 days for better or worse.
There were 2 other guys sitting security today. One was an R&S CCIE, the other like me had gone straight to Security but he had already made an attempt in April. All of us were exhausted by the end of it, nobody left early.

Regardless of how it turns out the experience has been worth it. I'm a much better Cisco geek than I was a few months back and I got to see what the real deal was like (and still have that sticky name tag). If things don't work out then I'll likely re-book for Feb next year.

I will keep my fingers crossed for you. You may have gathered enough points in to pass this time which will certainly save you more gruelling sessions. You have leveraged what you already knew about security device configuration and done as much preparation as was realistic in a compressed time frame. If it doesn't work out you can attack it in a different way. You have hindsight on what the lab entails now and can work out a realistic schedule to approach it next time.

Good luck!

Ahriakin

Close but no biscuit I'm afraid. I fell down on Identity management and IPS, I'm pretty sure I know where. Identity Management was one of my worst but the IPS surprised me.
Anyway from the score report (For what it's worth) I averaged to 75, soooo I'm going to rebook for January.

Turgon

Ahriakin wrote:

Close but no biscuit I'm afraid. I fell down on Identity management and IPS, I'm pretty sure I know where. Identity Management was one of my worst but the IPS surprised me.
Anyway from the score report (For what it's worth) I averaged to 75, soooo I'm going to rebook for January.

Hard lines. By average do you mean you got 75% of what was required overall or 75 out of 100. It's 80 to pass right?

dynamik

Ouch

It looks like you're really close though. Now that you know what the experience is like and where you are weak, you're going to be in good shape for round two.

networker050184

Sorry to hear that but it sounds like you should be good for a pass next time!

shednik

Sorry to hear about that...I'm sure you'll get it in January tho!!

GT-Rob

Turgon wrote:

Hard lines. By average do you mean you got 75% of what was required overall or 75 out of 100. It's 80 to pass right?

I think he means the average of each topic combined. Each isn't weighted equally so its impossible to tell the exact number though (i've heard of people getting over 80% when added all up).


So hear though, sounds like it was close! Good luck in January, any idea what date you are looking at?

dtlokee

You need to know how many points you had in each section to know what you scored based on the score report. Sorry to hear that Ahriakin, don't give up on it.