Security .NET config (with real switches)

Here it is. I ended up running 3725’s instead of the 2600XM’s. At the cost of about 8% more CPU usage, at least its stable!!

autostart = False
[localhost:7200]
workingdir = D:\Program Files\Dynamips\labs\working
udp = 10000
[[3725]]
image = D:\Program Files\Dynamips\images\c3725-adventerprisek9-mz.124-15.T8.image
ram = 192
ghostios = true
sparsemem = true
idlepc = 0×60bfb8f8
[[ROUTER R1]]
model = 3725
console = 2001
s0/0 = FRSW 1
s0/1 = R3 s0/2
f0/0 = SW1 101
x = -36.9562773986
y = -315.201010127
[[ROUTER R2]]
model = 3725
console = 2002
s0/0 = FRSW 2
s0/1 = R3 s0/3
f0/0 = SW1 102
x = 371.043722601
y = -303.201010127
[[ROUTER R3]]
model = 3725
console = 2003
s0/0 = FRSW 3
s0/1 = FRSW 13
s0/2 = R1 s0/1
s0/3 = R2 s0/1
f0/0 = SW1 103
f0/1 = SW1 203
x = 149.043722601
y = -337.201010127
[[ROUTER R4]]
model = 3725
ghostios = True
console = 2004
s0/0 = FRSW 4
s0/1 = R5 s0/1
f0/0 = SW1 104
f0/1 = SW1 204
x = 372.043722601
y = -150.201010127
[[ROUTER R5]]
model = 3725
ghostios = True
console = 2005
s0/0 = FRSW 5
s0/1 = R4 s0/1
f0/0 = SW1 105
f0/1 = SW1 205
x = 307.043722601
y = 49.7989898732
hx = 41.5
hy = -25.0
[[ROUTER R6]]
model = 3725
console = 2006
s0/0 = FRSW 6
f0/0 = SW1 106
f0/1 = SW1 206
x = 129.043722601
y = 39.7989898732

[localhost:7201]
workingdir = D:\Program Files\Dynamips\labs\working
udp = 10100
[[3725]]
image = D:\Program Files\Dynamips\images\c3725-adventerprisek9-mz.124-15.T8.image
ram = 192
ghostios = true
sparsemem = true
idlepc = 0×60bfb8f8
[[3640]]
image = D:\Program Files\Dynamips\images\c3640-is-mz.124-23.image
ram = 96
chassis = 3640
ghostios = true
sparsemem = true
idlepc = 0×604ba8bc
[[FRSW FRSW]]
1:102 = 2:201
1:103 = 3:301
1:104 = 4:401
1:105 = 5:501
1:113 = 13:311
2:201 = 1:102
2:203 = 3:302
2:204 = 4:402
2:205 = 5:502
2:213 = 13:312
3:301 = 1:103
3:302 = 2:203
3:304 = 4:403
3:305 = 5:503
4:401 = 1:104
4:402 = 2:204
4:403 = 3:304
4:405 = 5:504
4:413 = 13:314
5:501 = 1:105
5:502 = 2:205
5:503 = 3:305
5:504 = 4:405
5:513 = 13:315
13:311 = 1:113
13:312 = 2:213
13:314 = 4:413
13:315 = 5:513
6:51 = 21:51
6:100 = 21:100
6:101 = 21:101
6:201 = 21:201
6:301 = 21:301
6:401 = 21:401
x = 139.952339036
y = -174.037531346
hx = 5.5
hy = -35.0
[[ETHSW SW1]]
50 = dot1q 1 nio_gen_eth:\device\npf_{f7200e39-f13e-4289-8987-bb421b50ba90}
101 = access 101
102 = access 102
103 = access 103
104 = access 104
105 = access 105
106 = access 106
110 = access 110 nio_gen_eth:\device\npf_{5c9a1b59-7fb4-4e17-9db6-fa957db2213c}
113 = access 113 nio_gen_eth:\device\npf_{35bc7d02-fb18-4c1c-b034-5903764cdb81}
115 = access 115 nio_gen_eth:\device\npf_{90141bb9-cf2b-4d26-867f-f062d9575701}
120 = access 120 nio_gen_eth:\device\npf_{3888538f-c5e8-4798-9ada-a127efd54702}
124 = access 124
203 = access 203
204 = access 204
205 = access 205
206 = access 206
210 = access 210 nio_gen_eth:\device\npf_{d5ba2e57-d804-4314-a1ce-974423ff9945}
212 = access 212 nio_gen_eth:\device\npf_{4c1663dc-47af-49b5-863f-12872cf8d1bd}
213 = access 213 nio_gen_eth:\device\npf_{5574ae30-bf7d-4934-af74-39a41a900e08}
214 = access 214 nio_gen_eth:\device\npf_{50f06da0-8255-4f22-912f-47118e5a7d54}
215 = access 215 nio_gen_eth:\device\npf_{9cf1d3bf-ae34-474b-ba6c-f504122fae55}
220 = access 220 nio_gen_eth:\device\npf_{A0E516A4-BD1D-474B-906D-B2940BC8564F}
224 = access 224
x = -136.456277399
y = -111.201010127
[[ROUTER BB1]]
model = 3640
console = 2021
slot0 = NM-4T
s0/0 = FRSW 21
s0/1 = BB3 s1/0
[[ROUTER BB2]]
model = 3640
console = 2022
slot0 = NM-4E
e0/0 = SW1 224
[[ROUTER BB3]]
model = 3640
console = 2023
slot0 = NM-4E
slot1 = NM-4T
e0/0 = SW1 124
[GNS3-DATA]
m11 = 0.707106781187
m22 = 0.707106781187
[[Cloud 3548XL]]
x = -956.687950267
y = -339.371716451
hx = 61.5
hy = 13.0
connections = SW1:50:nio_gen_eth:\device\npf_{f7200e39-f13e-4289-8987-bb421b50ba90}
[[Cloud IPSmgmt]]
x = -807.819984622
y = -47.7279220614
connections = SW1:110:nio_gen_eth:\device\npf_{5c9a1b59-7fb4-4e17-9db6-fa957db2213c}
[[Cloud IPSsensor]]
x = -778.121499812
y = 48.43860018
connections = SW1:210:nio_gen_eth:\device\npf_{d5ba2e57-d804-4314-a1ce-974423ff9945}
[[Cloud ASA11]]
x = 2.52438661764
y = 314.310749906
connections = SW1:113:nio_gen_eth:\device\npf_{35bc7d02-fb18-4c1c-b034-5903764cdb81}
[[Cloud ASA10]]
x = -208.193434176
y = 302.997041407
connections = SW1:212:nio_gen_eth:\device\npf_{4c1663dc-47af-49b5-863f-12872cf8d1bd}
[[Cloud ASA12]]
x = 203.342712475
y = 315.724963469
connections = SW1:213:nio_gen_eth:\device\npf_{5574ae30-bf7d-4934-af74-39a41a900e08}
[[Cloud ASA21]]
x = -797.920489686
y = 368.050865276
connections = SW1:115:nio_gen_eth:\device\npf_{90141bb9-cf2b-4d26-867f-f062d9575701}
[[Cloud ACS]]
x = -312.845237792
y = -457.84985515
connections = SW1:120:nio_gen_eth:\device\npf_{3888538f-c5e8-4798-9ada-a127efd54702}
[[Cloud ASA20]]
x = -990.253534168
y = 358.15137034
connections = SW1:214:nio_gen_eth:\device\npf_{50f06da0-8255-4f22-912f-47118e5a7d54}
[[Cloud ASA22]]
x = -608.415872328
y = 376.536146651
connections = SW1:215:nio_gen_eth:\device\npf_{9cf1d3bf-ae34-474b-ba6c-f504122fae55}
[[Cloud TestPC]]
x = -556.08997052
y = -435.222438152
connections = SW1:220:nio_gen_eth:\device\npf_{9b56cbae-8a84-4832-9151-196a5c0f19ad}

Offline

Sorry all, have been offline for a little while (moving house & PC issues). I’ll respond to the requests for the .NET file in the next day or two.

Something I need to edit in my previous post though. I ended up experiencing weird issues running the 2600 XM routers in Dynamips.

Security Home Lab

Still alive, just been busy with work and various other stuff.

For the last couple of months my study has been mainly some light reading here and there. Virtually no labbing yet because for one I don’t have any study material yet (ie: workbooks) and secondly I don’t have a lab to study on. Work are supporting my second IE, but there’s just some finalization to be done before the material is purchased – which will be from Internetwork Expert. With regard to practical study, unless I have a fully functional lab at my disposal anytime I want it, then there’s very little chance I’ll study at all. But that has all changed since yesterday!

A few days ago IE release the specs for their new Security racks. So with some free time off, and using what I already had prepared a few months ago, I’ve now got a fully functioning lab that almost matches their topology exactly. And the best part is that its pretty much all virtual, idling on my Windows XP Quad core 3GB at 30% utilization.

So here’s what I have:

Virtual (Dynamips)

R1 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R2 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R3 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R4 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R5 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
R6 – 3725 (c3725-adventerprisek9-mz.124-15.T8.image)
BB1 – 3640 (c3640-is-mz.124-23)
BB2 – 3640 (c3640-is-mz.124-23)
BB3 – 3640 (c3640-is-mz.124-23)

Virtual (Other)

ACS Server 4.2 Trial – Running on Windows 2003 Server in VMware
IPS 5.1 – Running in VMware
2 x ASA 8.0 – Running in QEMU

Real Equipment

Cisco 3548XL Switch
2 x Cisco 3550 24 Port EMI
Test PC (my home laptop)

Now in terms of how I get all this working, I’ll start with a couple of diagrams:

The key to getting the whole topology working is in the dynamips soft switch and the 3548XL switch. I’ve configured the dynamips switch to have 21 access ports. Each port is then mapped to every virtual device using a separate VLAN. The switch also has a dot1q trunk port that is mapped to a physical intel NIC (also trunking) which is directly attached to the 3548XL. So now we have 21 separate vlans for 21 seperate interfaces all being trunked through to a physical switch.

I’ve then configure 21 ports on the 3548XL switch to be in the separate VLAN’s and then used very short Ethernet cables to patch each port to the corresponding ports on the real 3550’s as per the Internetwork experts racks.

For example, ASA1 port E0/1 is supposed to be on SW Fa0/13. So I assigned it VLAN 113 on the dynamips switch and then assigned port Fa0/13 VLAN 113 on the 3548XL, and then patched it through to SW1 Fa0/13. Simple.

As far as getting the other virtual devices running here’s what I did:

ASA
- http://7200emu.hacki.at/viewtopic.php?t=4936&postdays=0&postorder=asc&start=0 – Look for the posts by ‘thumpercisco’
- QEMU is configured to map ASA interfaces to MS Loopback interfaces (3 for each ASA)

IPS
- http://7200emu.hacki.at/viewtopic.php?t=3095
- 3 VMware virtual adapters (only two required for topology)
- Enable VNC on the VMware instance so you dont need to go though the host machine every time.

ACS
- Trial version from Cisco, just save the VMware image once installed so you can reload it after 90 days
- Enable VNC on the VMware instance so you dont need to go though the host machine every time.

Other Stuff

To make things even easier I purchased a 2 port RS232 PCI card from eBay and installed it in my server. I then use a program called “Serial to Ethernet connector” so that I cant telnet from my Test PC to a TCP port on the server and it maps my session to the Serial ports of the physical switches.

.NET file

If you want a copy of my .NET file. Leave a message with your email address and i’ll be happy to forward it on :)

Fully virtual?

I did consider doing the whole thing in dynamips, and it is very possible. The only thing that annoyed me was the switch ports would be different on my setup than they would be in the workbooks (16 ports on the NM modules as opposed to 24). This meant some ports would be changed, meaning the diagrams would all be wrong, and the initial configs would all need to be changed.

——

So far, I’ve found the setup to be very reliable, and it runs extremely well. The CPU’s idle nicely at 30% (full topology), and memory usage is about 1.5GB total!

With this i’ll be able to test most technologies and even be able to do most full scale labs with this setup.

I hope this helps anyone thinking about or pursuing their Security track. Feel free to drop me a line if you have any questions.

Security blueprint, quality books, and general thoughts

For the last two weeks I’ve been working at the new Westfield shopping centre in London. Apart from having Christmas day off I’ve been at work every other day. Fortunately, because its only a very short contract to fill in for the usual guy while he’s on leave I only have a few key things to look after; and if nothing goes wrong I don’t have to do a single thing! So overall its been a pretty quiet two weeks, and because most of management is away its very peaceful on my floor of the building which has given me a LOT of time to get immersed in my new books.

Most of this free time has been spent reading Yusuf Bhaiji’s Network Security Technologies and Solutions which is just fantastic. Considering how many different products, and technologies he covers I think it goes into just the right amount of detail on each one. The book can be used as a quick reference, or it can be used to get a baseline understanding of new security concepts. If you are looking to get a lot of coverage on the written blueprint then this is the book you need, and even if you aren’t studying for the security lab, I would highly recommend it for any budding network professional in the Cisco areana.

In addition to this I got myself a Safari account and started reading Network Security Principals and Practices by Saadat Malik, and after seeing various Amazon reviews I went straight to the IPSEC section to see what all the fuss was about. If you had any doubts about how ISAKMP, IPSEC, ESP, AH or any other related topic function…this book will sort you out. Although it is a few years old, it’s written extremely well and goes into a lot of detail on most of the technologies that make up the 2.0 blueprint.

—-

Considering my progress so far and how much I’m enjoying studying, I anticipate that i’ll be sitting the written a lot sooner than April. February seems more realistic. If I wait 3-4 months before taking the written, its just going to mean that i’ll need do do a lot more review for stuff that I’ve learnt in the last two weeks…its better to strike while the irons hot! And since the written is mostly theory there is no real need to be hammering away on the CLI playing with stuff, which is really what I want to get stuck into.

My Dynamips machine is slowly coming together. I’m probably going to do most of my study on a virtualized system so that I can go at my own pace for next to nothing. Dynamips will run my routers, PEMU will run PIX’s with 8.x images (i’m not going to worry about ASA’s at this stage), and VMware will run both the ACS server on Windows 2003 and IPS with the 5.x image. Obviously i’ll be missing some key things for the 3.x lab, but most of it is going to be there and in the beginning its plenty to start with.

More books

Purchased another couple of books for my security studies.

Cisco Router Firewall Security – Richard Deal
CCSP IPS Exam Certification Guide – Earl Carter

The IPS book was actually hard to track down for a decent price, the cheapest on amazon was $120 US! In the end I managed to find it on ebay. I won the sale for .99 cents, but shipping from the states was $32….still, thats not too bad :)

After doing a fair amount of research I think i’ll be purchasing the following titles aswell:

Cisco Network Security Troubleshooting Handbook – Mynul Hoda
Network Security Principles and Practices – Gregg Schudel

CCIE Security

After much thought I’ve decided to skip the CCNA Security/CCSP path and just go straight for CCIE Security. There’s a few reasons behind my decision and I thought I’d share them along with how I’m getting started.

1) Cost
The cost of sitting the CCNA Security exam plus the 4 exams for CCSP is $750 US. On top of that there’s the study material required for each one. Granted some of the books I buy for CCIE could be used for both, but I’d rather spend all that money on CCIE.

2) Time
I just cant be bothered doing 5 separate exams just to move on and do 2 more. I’m now fully aware of whats required to do a CCIE and what I’m getting myself into. It may be an advantage to work my way up if I thought that I might be in the market for a new job at some stage next year, but the fact is I wont be. In the end a CCIE is worth 10 times more than the associate and professional certs.

3) Content
Apart from the elective exams in CCSP, virtually everything you find in the lesser exams is part of the CCIE blueprint anyway. Also I dont really need or want to know how to set things up in the SDM (which is more of a focus in associate and professional) so I’m quite happy to skip those parts :)

4) Work
With my new job just around the corner I’m going to have access to a  plethora of mentors and e-learning tools that will no doubt be able to speed up the learning process for me.

——–

Strategy
I’m going to focus entirely on the 3.0 version of the blueprint and my first milestone is to sit the written exam once it changes in April. So really all I need to worry about at this stage is building a foundation of all the topics by doing plenty of reading. I’ll be updating my study material list at the top right of this page, but at the moment I have the following titles:

Network Security Technologies and Solutions (CCIE Professional Development) – Yusuf Bhaiji
Cisco ASA, PIX, and FWSM Firewall Handbook – David Huccaby
Cisco ASA – All-in-One Firewall, IPS, and VPN Adaptive Security Appliance – Jazib Frahim

Once I get a bit more cash I’ll invest in some class-on-demand videos too.

For the lab I’m not sure what vendor I’ll use. It’s most likely going to be InternetwWork Expert since they are now working on the 3.0 material and plan to have it released before the new exam kicks in. I’ll use Dynamips for random ASA and IOS stuff, but unless I get access to some real equipment with my new job I’ll settle with rack time for most of my lab preparation.

My goal is to sit and pass the lab by Q3 of next year, but we’ll wait and see. I’m not going to let this one rule my life for nine months :)

SNAF Topology in GNS3

After a bit of screwing around and reading about PEMU/VMware I managed to get my topology working as intended. GNS and virtual adapters don’t seem to like on the fly changes. The solution in the end was to configure all the adapters/IP’s etc, reboot the VMware host machine, then create the topology in GNS from scratch.

My laptop is directly connected to my Dynamips/GNS machine (running Vista) which is is bridged to the inside interface of the PIX. The Dynamips/GNS machine also runs a virtual instance of Windows 2003 server with Cisco ACS installed which is bridged to the DMZ interface of the PIX.

The PIX 525 is running release 8.0(4) with ASDM 6.1(3).

Apart from testing failover (which doesn’t really work properly in Dynamips) I can play with just about everything required for the first ASA exam (SNAF).

After about 10 solid hours of messing about and doing a shitload of reading I’m pretty comfortable with just about every topic. The next step is to do some labs from the Cisco Partner e-learning connection (PEC) and then book the exam as soon once I’ve done a solid review.

At the same time I’ve been studying for SNAF I’ve been going through the CCNA Security certification guide. I think for anyone that’s completed the ISCW exam from CCNP, providing you have a basic understanding of security copncepts I’d say you’re probably 3/4 of the way there to obtaining this cert. Definitely worth the effort imo…

Still here

Sorry, I’ve been a little slack with that second update on the lab. Reason? I’m studying again.

Since I arrive in the UK looking for work, I have always fallen short in one main area…..Security. Because of this I’ve only been considered for a handful of roles. Although I do have a lot of experience with Inspection, IPS, and IPSEC and general security on IOS based platforms, I don’t have very much experience with PIX and ASA products. Well I kinda do, but it was a fair while ago and it simply doesn’t hold up in an interview because I’d forgotten even some of the basic rules to their operation.

My goal after achieving IE status was to get up to speed with security platforms like the PIX and ASA again so that I can vastly improve my employment prospects.

After studying for about a week I started to get the bug again, and I’m at a crossroads….

I always thought that after getting my R&S that I would move on to Service Provider since I already have my CCIP and a lot of experience with MPLS VPN solutions. I was even thinking about buying the study material before finishing my first IE. But now I’m not so sure….

I’m now leaning towards an IE in Security but I think it’s more of a challenge and just generally more interesting to me.

So got myself a copy of David Huccaby’s Cisco ASA, PIX, and FWSM Firewall Handbook, and Cisco ASA – All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, which are accompanied by GNS3 with PEMU for some labbing.

At this stage I’m just going to take baby steps, but I think first up I’ll do three of the CCSP exams that make up the ASA specialist certification and see how we go from there. Starting with SNAF (Securing Network with ASA Foundation), then CCNA Security, followed by SNAA (Securing Networks with ASA Advanced).

—–

As far as work goes, I’ve been looking for a little over two weeks now and after a few tweaks of the resume, and submitting it to the right places I’m starting to generate some good interest. Let me tell you, having a CCIE on your resume definitely raises some eyebrows. Recruiters call you, not the other way around. So with any luck I’ll be employed before the week is out…

Funny

Man tries to pay bill with spider drawing

My experience with the lab

Leading Up
For the last few days of preparation before the day, my main goal was to get plenty of rest, adjust my body clock for an early start, and do as much review as possible without overdoing it. This meant no booze (at all!) for the last 5 days, getting to bed no later than 10pm, and getting up at about 8 o’clock.

For review, I went through the entire configuration documentation for the 3560 and 12.4 Mainline IOS. Not to the point of reading every single word though, just light skimming. Obviously at this stage I already knew what a lot of things did and where they could be found. But for some of the more little obscure things, I just read the introduction which tells you exactly what each technology is used for. Along with this I read the entire command reference for BGP, OSPF, EIGRP, RIP, and Multicast.

I also walked through the two practice labs in this digital shortcut from cisco press. I’d highly recommend this if you haven’t taken an assessor lab, just so you can get an idea as to how the questions are asked and solved. But don’t be shaken about by how difficult the two labs are, both of them (especially the first one) are off the mark.

Finally I read through all of Michael Zuo’s CCIE notes. These are great. Nothing too heavy, just a recap on a ton of things you can do with each technology, their nuances, and examples of when to use a particular technology for a particular question. You can definitely tell he studied with Internetwork Expert :)

As far as not overdoing it, I did short sessions of 1 or 2 hours for no more than 6 – 7 hours (total) a day. In between I’d just be watching TV or reading CCIE success stories for hints and inspiration.

One last thing worth mentioning. Exercise. For me it was crucial to my study as it helps me think properly and stay alert. Most importantly was in the last few days, without getting a 30 – 45 minute run in of a night, it was near impossible to sleep when I wanted to sleep. If I didnt do something physical,  I’d end up staying awake til 2am thinking about OSPF adjacency’s, BGP peerings, and VLANS that I forgot to create!!

The day before
On Thursday I woke up and didnt really do much at all. Just packed my things, had breakfast, watched TV and waited for my ride to the tube station that takes me to heathrow, my flight was at 2pm. On the flight I just listened to some relaxing tunes and skimmed through Michael Zuo’s notes.

At Brussels airport there was supposed to be a free shuttle service that runs to NH hotel. What’s stupid is that this doesnt run between 10am and 5:15pm. So instead of waiting an hour I got a taxi to the hotel which cost me 12 euro.

After I checking in, the hotel was nice btw, I walked out the front door, turned right, then turned right again….then turned right again, and walked up the hill to Cisco. The first building is 7B, that’s not the right one, but the receptionist was hot. You actually walk straight past it until you get to the next Cisco building that looks identical (6B). I went to the reception area and just confirmed that I was in the right place. The security guard said they start at 8am in the morning. It takes no time at all to get there.

With reconnaissance out of the way, I went back to the hotel and used the gym to go for a run before my dinner.

The hotel was pretty good, but it was also expensive. For 24 hours of private Internet access was like 20 euro, and downstairs the Internet was something like 35 cents a minute…Ripoff.

Meals weren’t cheap either, the average main was about 25 – 30 euro. I just went with the buffet and stuffed my face with all three courses (still cost me 30 euro though).

After dinner I just went back to my room, watched some TV and read over Michael’s notes until I was tired. I was in bed by 9pm and asleep by about 11. It wasn’t the greatest sleep though, I still woke up twice which then took me about 20 minutes each time to fall asleep again. But that was kind of expected….

The Lab
My alarm went off Friday morning at 5:45, I got dressed and and went downstairs for a 30 minute run before a shower and buffet breakfast which included all the usual kind of tasty stuff. After that I went back up to my room, packed my things, and headed downstairs to checkout. By 7:30 I was at the reception area of Cisco. I signed in and took a seat in the waiting area where there were about 8 other hopefuls. I just sat there and gathered my thoughts…

‘Wow’ I thought. Months of preparation for this one day where you need to be on your best game. If you fall short of the mark, you’ve lost a large wad of cash, without improving you’re chances of getting a job and having money before Christmas, which also means you have no idea when you’re going to be able to afford a second shot at the title. That was the way I looked at it anyway. Not to put any pressure on myself or anything….

Was I nervous? No. Excited? No. Anxious? Not really. To me it was just another day doing another lab. I’ll elaborate on this later.

At 7:50 we were greeted by Bruno (the proctor) who escorted us upstairs. He showed us where the facilities were, outlined the rules, start/finish times, and gave us a few small tips.

We started at 8:15. It took me 1 hour and 15 minutes before I started configuring ANYTHING. Which i’ll admit was a little slower than expected. In that time I did the following:

• Drew up a grid that included columns for: Task Number, core / easy questions, notes, whether I had done (configured) it, whether I had checked it, and point values.
• Read every question in the lab, even to the point of working out what the solution was, making a quick note on my notes column, and marking if it was a core question or easy question.
• Drew my L2 diagram, this was done in conjunction with reading the switching section.
• Drew my L3 diagram, this included DLCI’s so you dont have to reference the DLCI page anymore, and which routing protocols were running on which interfaces. Also done during my reading.
• Checked the initial configs and IP addresses.

After reading the exam I was very surprised at how short it was, and how easy it appeared to be when you compare it to the IE labs. But the difficulty part made me a little wary that I was maybe missing something….

I started with frame-relay, moved onto my core switching tasks, and then went straight into IGP. I took my time on each task, making sure I read the question twice and fully verified each one. Amongst them there were about 2 tasks that got me really thinking. For these I simply made a quick note, did something else, and by the time I came back I knew what the solution was. It’s like your mind is thinking about it even when you’re not concentrating on it.

With 30 minutes before lunch I had finished my IGP (apart from one task that wasn’t core related) and had full reachability withing the domain with my TCL scripts. The last half hour was spent picking up some quick points in various sections. Just before lunch, I saved and rebooted all my equipment.

Lunch was pretty ordinary. I played it safe with some chicken, chips, and a coke.

My initial plan at this stage was to use my lunch break for working through any really tough questions so that when I got back, I wouldn’t have waste much time on them….but I kinda forgot. I just sat quietly waiting for round 2!

It was 12:45, I had 4 hours to go and I was about 2/3 through the exam. I quickly checked that  reachability was still there and all my neighbors were up before doing the rest of the easy tasks.

After the quick easy ones BGP was next, nothing too difficult, but the Cisco way did throw me off a little bit in terms of how I was able to verify it. It may vary from lab to lab, so I’ll just say that you should clarify with the proctor how they grade it. But when he gave me the answer it left me with the impression they are all like that. Interesting…

Last up was multicast & QoS. The first QoS question was slightly tricky but only because of the wording. Reading it I started thinking, but what if this?? and what if that?? I asked the proctor and he could see why I was confused and simply said, “just do what it says”. Without dwelling on it anymore, I did my configuration and moved on to the next one. For this, all I’ll say is thank you Michael Zuo! Had I not read his notes I would never have figured this out in time.

With one question left from IGP, I decided that I wanted to secure all my other points. I grabbed a drink and started verifying every task word for word. During this I referenced my notes with the question and my solution to see if it matched and I hadn’t missed anything. This is where I started getting a little paranoid….

I think I changed two solutions to better suit the questions, and added extra configuration to another two to make entirely sure that I was definitely going to meet the requirements regardless of how strict they were going to be with the answers.

Its hard to explain, but when you see the questions you will notice all the key words that are just begging for a certain command to be used. Most of the time everything you needed to do was explicitly asked, but there were a couple of times where they do expect configuration even though its not directly specified. For these you should be able to reference the configuration guides, look at the table that explains each command (optional or not) and derive the complete and correct answere from that.

Verification took me 90 minutes which pretty much brought me to 15 minutes remaining. As I mentioned in the last post, I accidentally forgot about one question and my quick solution didn’t work, so I scrapped it. Finally I saved all my configs and begun the wait knowing that I gave it all I could.