CCIE Journal

We’ll the title says it all. My attempt this time around wasnt good enough….

In a nutshell, I failed for these reasons:

• Although I got my ‘core’ tasks done fairly quickly and end to end reachability was there. When I went to do my re-read early in the afternoon I had missed a couple of critical sub sections that required me to quickly rework my solutions. This made me a bit nervous, frustrated, and in the end probably cost me 4 – 5 points due to rushing.

• Getting used to the lab topology and addressing took some time. Had I not run into problems with the Test PC and AAA then I probably wouldn’t have needed to understand how everything connected together in detail.

• It was the proctors first day at proctoring the CCIE lab. One issue here was that he spent a good amount of the day either on the phone or away from his desk. This resulted in me not getting clarification on two questions. This is entirely my fault – I should have made sure I got what needed to know. definitely lost 5 points here, maybe a couple more.

• I also ran into two problems that the proctor could not give me a clear answer on. So I was unsure If I was dealing with a lab problem, or my configuration problem. Some task ambiguity didn’t help this situation either. So due to running out of time and not getting the info I needed I think I lost 9 points here.

• Due to time wasting with various things. I skipped some verification in the later sections. Thankfully most of them were right, but had I verified all of them I think would have secured another 3 or 4 points – thinking back I maybe have missed something.

To be honest, I finished the lab with a little bit of optimism but I wasnt at all surprised when I checked my result online.
I’m about 90% there. A lot of my failure was down to strategy, and not using the proctor enough. Sure I made some mistakes, but they really came down to strategy and my use of the proctor.

The positives

• The OEQ’s are simple straightforward questions. Nothing too hard, and nothing a decent engineer shouldnt be able to pass. All my worrying about these was a complete waste of energy.

• I now know how the lab is pieced together and getting used to the topology should save me at least 30 minutes.

• The actually configuration difficulty is not that hard. Yusuf’s labs are much harder and so are INE’s. The real lab is still difficult though because of task dependency, strategy is key.

• I’ve seen the lab now. Thats an advantage in itself. Next time I will know roughly what to expect.

I’ve got a ski trip at the start of March and the 30 day waiting period ends on a Saturday, so I’m probably going to book in for around mid March.

Study from now on wont be nearly as intense. I’m going to keep up with reading and some labs, but essentially a couple of days during the week and one day a weekend.

Today is the day before ‘the day’. It’s 7:00 in the morning.

I set my alarm extra early today so that I could be tired enough that I’d able to get to bed at a reasonable time this evening, and also to be sure that I get a decent amount of rest before tomorrow. One thing that has been different this time around is that generally I have been able to sleep with no problems during the lead up. No redistribution nightmares or anything ridiculous like that!

Sunday was another fairly relaxed day, I did some reading here and there but didn’t want to push myself too much by doing another Lab. However I did feel up to one yesterday and decided to go with Yusufs Lab 2. Apart from a couple of hiccups early on the whole thing went pretty well. My final score was 80 in 7hrs and 30 minutes.

Today I’m just going to chill out, maybe read a few blogs, pack my travel case, and then head off to Kings Cross station to catch the Eurostar over to Brussels.

Overall I’m feeling a whole lot better about the exam than I did a few days ago. I think being burnt out was part of the problem – too much study skews your mind. If you start pacing around and getting ticked off at things easily, then its definitely time to drop what your doing and go outside where there are people n’ stuff. Go out for a meal,  or watch a movie; anything but study! Trust me, it helps.

If I feel up to it I’ll probably do a postmortem tomorrow night just so that its fresh in my mind. But if not, I’m hoping that the next post on here starts with ‘I passed’ :)

So ive been off work since Tuesday and have been pretty much focused on nothing but study. Eating and sleeping was in there too I guess..

Tuesday was INE’s Lab 10 which gave me an absolute arse whipping. Lots of good stuff came out of it though, and considering it was rated a 9 I think I handled it reasonably well.

Wednesday was a reading day. I browsed through a good chunk of the IOS configuration guides, and read through parts of Yusufs Security Solutions book. Mainly the sections on attack mitigation, and Layer 2 security. But overall, generally just becoming familiar with what’s in there and reading the sections I thought could be related to OEQ.

OEQ’s….probably the only part of the lab I’m not entireley confident about. I have heard from recent candidates about the varied difficulty of these questions, but unless you have a good idea of a persons level of knowledge its somewhat hard to gauge.

Considering some of the ‘examples’ I have been given I think even the most prepared of candidates could get unlucky with what they are asked, and fail. But thats how it works these days, not only do you need good documentation navigation skills for stuff you dont know, you need to also be able to pass the lab just with good memory and a bit of luck! Nice.

I’m deffinately jumping ahead of things here since I have never come up against the OEQ’s, and maybe everything will be fine. But I think a re-read is definitely not out of the question if it’s the only apparent reason for not passing. Why not see what someone else thinks of the answers????…. It’s a little bit different to checking a config which is much more clear cut with it being right or wrong. We shall see.

From the practical side of things I think I’m at the right level of being able implement most technologies I could be given on the lab without needing the documentation – and anything im not sure of I can normally work through in a short amount of time.

I did Yusufs lab 1 yesterday and it went pretty well. I lost a whopping 11 points to three stupid mistakes, and a further 7 points were working configurations where it was slightly unclear how they would be graded. Two other questions I didn’t get time to complete because I spent too long troubleshooting a buggy FPM that was a correct config, but not working.

So in marking ALL of these wrong I didn’t actually pass but it was a 74 in 7hrs 20 minutes. However this lab is definitely harder than the real thing, with more points/tasks, so I’m not overly fussed by the score. The main thing is that I knew what to configure explicitly for most tasks, and also knew what was implicity required for the whole working configuration.

Today is a day of reading and general relaxing. Tomorrow I’ll probably do another lab, but im unsure if I’ll do Yusufs LAB 2, IPexperts LAB17 freebie, or an INE one.

Did Lab 8 yesterday. Its difficulty was a 6 and I finished it in 6hrs and 36 minutes with a final score of 87.

Although rated as one of the easier INE labs and most tasks werent that challenging, it definitely didn’t mean that it was a piece of cake – DMVPN gave me heaps of problems which resulted in me spending probably 20 minutes more on it than I should have.

To cut a long story short, it just didn’t want to play nice. R1 to R5 was working while R6 wasnt, and then they would all stop working. Once I finally had them all pinging each other I then ran into the same problems when trying to protect the tunnels with IPSec. It seemed to me that all routers were getting hung at some point which may  have been dependant on how I implemented each one. The difference this time to others was that I tried to do a lot of it manually instead of looking up CCO and doing a copy and paste. So after much pain, to fix each node it required either a reboot or a removal of the Tunnel interface and re-adding it again.

Breakdown of incorrect tasks is as follows:

2.4 - Dont really know what I was thinking here but I put the policer in the wrong direction because I thought that if you are inspecting for the return traffic then that would be the same interface you put the policer on. They are completely separate actions which are implemented differently. This is pretty basic shit and I should have got it right. 3 points…

2.5 – I missed the requirement that stated to only NAT between the two subnets 10.0.0.0/8 and 192.10.2.0/24. I just used a standard ACL. 2 points.

5.2 – I did the same thing wrong here that I did one or two labs ago. I specified the auth proxy cache timeout, but I specified it globally instead of on the instance I was using on the interface. Show outputs display the default timer still. Bit lazy on my part since if I had of verified properly I would have caught it…. 4 points lost!

7.2 – Had everything right here, port security, ip verify, and dhcp snooping, but I didn’t set ip verify to do both IP and mac using the port-security option. 2 points.

7.3 – This was a command id never heard of and had forgotten from the last time if did the lab. Probably wouldn’t have got this in the real lab unless it was the last question and I had time to go though the switch command reference. 2 points.

Overall I think it went pretty well. Straight on to Lab 9!

Pushed on and did Lab 3 yesterday. Difficulty 8, taking 7 hours 15 minutes, with a final score of 72, or 75. Reason for that is I still have one particular task where I’m pretty sure I configured correctly, yet the solution suggests otherwise – more on that in a sec :)

I have to say that doing two labs in two days is tough. Especially when you have a certain window of time to do each one and  mark it in the same session. It was just so much easier when I could do a full R&S lab in dynamips and then mark it over the course of the evening at my leisure, or even the next day if I couldn’t be arsed.

The additional freedom of starting labs whenever I wanted instead of designated time slots was pretty handy. Next week should however work out better since all my rack sessions start at 5am and go to 10:30 pm (3 slots). Plus those extra few hours of rack time will be crucial in the last week of prep to make sure that I catch every little mistake, and correct them before the real thing.

When grading your own labs it’s important that you’re a thorough as you possibly can no matter how much it pains you to do so. I’ve found that it’s very easy to fall into the habit of just skimming over it because ‘A’ you can’t be bothered, or ‘B’, you develop the mindset  in thinking that when you initially configured it…it was right. It’s not always the case, make sure you don’t make the mistake.

Anyway back to my results for Lab 3. At first I was a little disappointed, but then when I think back to how I was doing at the same stage of my R&S studies I’m somewhat reassured that everything is ok. Sure, I made stupid mistakes, and yes there are still some technologies that I didn’t have completely nailed, but the key is that its highlighted now before it’s too late – When you get so close to sitting the lab, the shortcomings you learn now are much harder to forget on the real thing.

1.3 – Completely missed a bullet point here that says there should be no IP addresses in the ACL entries. The solution calls for hosts to be defined so they show up as names. Easy enough, but I still lost 3 points.

1.6 – This QoS task asked to policy both the site to site VPN and remote access users. Bit confusing really since there was no remote access VPN’s terminating on the device. The solution was to apply it to the DefaultRAGroup. 3 points.

2.1 – Missed an ACL on ASA2 when implementing CBAC on R5. No excuses here. 2 Points.

2.2 – Did the exact same thing here!! Missed the ACL on ASA2 for additional CBAC on R5. Another 2 points!

3.3 – Another case of not reading the task properly enough. It said to make sure the loopbacks are advertised into OSPF as /24’s. Had I read it properly, I would have done it. 4 points for DMVPN – Ouch.

3.4 – This task is what I was talking about earlier. Keeping it fairly short, the section stated to ‘make sure that the spokes do not query the hub’s NMBA mapping table in order to discover the NBMA address of another spoke’. DMVPN phase 3 is the answer in my opinion, and the various publications i’ve read suggest the same. But the solution used broadcast mode instead of point-to-multipoint like I did. So I decided to lab this up and debug the whole process in broadcast mode, and the spoke does query the hub. Only point-to-multipoint will acheive the same result. So in my opinion, the solution is wrong. So we’ll see what others say over the next few days.

If anyone feels like chipping in, the post is here: http://ieoc.com/forums/p/9866/102808.aspx#102808

6.4 – Again, didn’t read properly since it was hidden in the opening sentence. I configured the IPS signature correctly but didn’t see that I had to deny in-line. 3 points.

7.2 – Misinterpreted here, I saw RFC 2827 and configured uRFP. Should have used and ACL in and out. 2 points.

8.3 – Set the rate-limit for the signature to 25% but left the external rate-limit percentage to 100%. Havent quite looked into this yet. 3 points.

So as you can see, a few annoying mistakes in there and a few valuable lessons. Hoping this weekend is a bit better…

Edit –

Ok, so Marvin Greenlee got back to me and clarified the DMVPN issue. Although I thought that R1 was querying R3’s mapping table, its normal behaviour to send teh request to the NHS, who will then forward it to the spoke. He also said that if my spoke to spoke tunnels were being built, then I got the task right.

Final score = 75

Attempted INE lab 7 yesterday which is rated at difficulty 7. My final score was 85 and it took me 7hrs and 20 minutes to complete.

To be honest, im not sure exactly what to think. The lab itself wasnt that difficult, and a lot of my free time at the end was spent on two particular questions that I left until last. Heres where I dropped points:

4.3 – Not sure if this would be considered wrong, but my RSPAN configuration was only sending vlan 52 traffic from switch 1 to the IPS sensor. The segment itself only consisted of two devices, so in reality it was always going to see traffic between the two devices (R5 and BB2). Not exactly sure how this would be marked in the lab…. – 2 points

5.2 – I used the wrong value for the auth-proxy auth cache-timeout. Just a reminder that I need to be more careful with just using the context sensitive help to configure miscellaneous features and values. However the solution worked – 3 points

5.3 – Simple SSH question. but after looking at the solution I think I may have broken the initial rules of the lab about changing the VTY lines. One thing I learnt from this is that the after enabling aaa new-model and specifying auth login the VTY lines, you can still use the ‘line’ password for telnet while SSH will work fine for username and password. My solution specified ‘local’ for the auth which meant telnet asks for username too – 2 points

6.1 – Same as 5.3. Once again not sure if I broke the lab rules – but it’s quite possible I did. 3 points!

7.1 – Didnt get this destination NAT solution right, I spent probably 15 minutes on it and just gave up. This was the last question I attempted – 2 points

7.3 – Silly mistake here. I configured everything right and forgot that to send ACL logging to the syslog server I need to specify ‘informational’ trap logging – 3 points

Now its time to do another one!

Welllll, not much action on here in quite a while….

Christmas is over and I have a few moments spare for an update on what I’ve done and what I’ve still got to do. Considering my security lab is booked for the 27th of Jan I think I’ll become a little more active on here since I think most readers are probably more interested in the ramp up, how my full scale labs are panning out prior to the day, and then actual detail on the lab experience itself.

Going back about 6 – 8 weeks now I was plugging away doing Volume II labs on the weekends, and doing the finished Volume I labs (for the 3rd or 4th time) during the week all in preparation for the five day IE bootcamp in Amsterdam.

Before the bootcamp I had completed all 10 of the Volume II full scale labs and my results were varied. I passed one or two of the easy ones, and managed to score around 60 – 70 on the mid range ones. Lab 3 and Lab 4 (two of the much harder ones) were a complete dissaster but I managed to still learn a lot from them. Btw these were taking a full 8 hours or more.

My approach to doing each of the Vol II labs was also varied. Bear in mind that I was using IE rack rentals for all of them, so I was booking two slots to do one lab (11 hours total). For labs with a difficulty of 6 – 8 I would use the first 8 hours of the session to do the lab, and then use the remaining time to review and mark my configurations. For labs with a difficulty of 9 – 10 I would do a section or two and then go through the solutions to make sure that I didn’t create problems for other tasks later on.

I think this approach was really helpful, the difficulty 9 – 10 labs are just outrageous, but they teach some very valuable lessons that will help for the real thing. I don’t recommend attempting them all in one go.

Most times, the full scale lab attempt (including review) was taking the full 11 hours which equated to a very long and tiring Saturday & Sunday when the sessions started at 11am. But unfortunately it was the only way.

When it came time for the bootcamp I felt I was at a pretty comfortable level in dealing with all of the major topics and configs, which is exactly where I wanted to be. I wouldn’t ever recommend going into a bootcamp without having done what the vendor suggests prior. I just dont think you get enough out of it – Unless of course your employer pays for it and then you can do what you like :)

I wont go into too much detail on the bootcamp it self, but I think I got what I needed to get out of it. Marvin cleared a few things up that I really couldn’t get a grasp of. Sometimes all it takes is someone to explain something in its simplest form and then everything else just falls into place.  He also gave me some really good info on what to expect on the day. Most of my questions here came from my previous experience of sitting and passing the lab – as I understand it the lab format and difficulty is pretty consistent among all of the tracks so I should know what to expect on the day. Good news.

At the end of the bootcamp Marvin gave me the green light for the lab. I wouldn’t say that I was ready straight after the bootcamp, but at the time , with 7 weeks left to go, I definitely would be.

When I returned home on the Friday, I chilled out right through to Saturday night  and then went to bed ready to start my second attempt at the Vol II labs on the Sunday. A much improved attempt.

It was Lab 1 with a difficulty of 7 and my score was 78. I made sure my marking was extremely harsh and while I don’t have the notes with me at the moment, I wasn’t too concerned with the points I missed. I finished it in 6.5 hours, and would have definitely got in the 90’s with that extra 1 hours and 45 minutes (OEQ’s take away 15 mins :))

I simply made a note of each incorrect topics or questions and will use this for review prior to my lab.

The following week was my birthday, so I didn’t even up doing any labs. The next weekend I attempted Lab 2 on the Sunday with a difficulty of 6 and I scored 86. Again similar to Lab 1, but I managed to finish this one in 6 hours. Three of the questions I bombed out on were 4 point ones….again, not too concerned. It wasn’t that I didn’t understand what was asked for, I just made configuration mistakes.

I’ll just point out, when I do a Lab i’ll verify all the way through to reduce the number of mistakes, but I’m definitely not as thorough as what I would be in the real lab. That’s what the remaining time is left for – checking every single line and every single bullet point to make sure that I haven’t missed a single thing. When I’m doing this at home, I just dont see the point when you’re marking it yourself. I think the aim should be to get through it as fast as you can with as little errors as possible and then see how you went. It worked for me the first time around, so i’m going to sick with it.

So….with Lab1 and Lab2 done a second time the rest of 2009 has consisted of:

• Reading the CCIE practice labs by Yusuf – awesome release, I think this is a must for the lab, it has some really great advice.
• Reading chapters from Yusuf’s Networking Technology book – for the OEQ’s
• Reading the IPS CLI configuration guide – just browsing really, looking for where stuff is and any features i wasnt aware of.
• Reading the IOS configuration guide – still lots to go
• Reading the ASA configuration guide – still about half to go

For 2010, my next full scale lab is on the 9th so until then i’m just going to keep on with my reading and finishing the Vol I labs (for the last time) during next week.

I start work again on the 4th like most other people and its going to be pretty busy from the get-go. But i’ve arrange with work for about a week and a half off leading up to my lab so that I can do one final push – So expect a flurry of updates on the next few weeks!

Not discovered by me, but by JayTee who posted a comment. Thought i’d make it known to everyone. I havent tested it.

<snip>

OK, I got multicast working. It’s a known problem. The fix is to comment out
some qemu code. This really isn’t the “right” way to fix this as the ASA
will apparently get all multicast traffic instead of the multis that it
registers for but it fixes the problem. See explanations here:

http://juniper.cluepon.net/index.php/Olive

http://sioduy.blogsome.com/2009/04/05/install-olive-in-freebsd-71/

</snip>

Going through a second time today it was still as confusing as the last time I did it. After disecting the configuration, its only slightly different to any other NAT statement when you include the contents of the ACL.

(Real,Fake) Fake, Real, Policy

access-list POLICY extended permit tcp host 136.1.121.1 eq telnet 136.1.122.0 255.255.255.0
static (inside,outside) tcp interface telnet access-list POLICY

With the above configuration, if you tack on the ACL to the static statement its exactly the same structure except you have the ‘policy’ at the end to say what triggers the translation. In this case, any telnet traffic which is sourced from 136.1.122.0/24 destined to the ASA’s interface will be translated to the REAL address of 136.1.121.1 on port 23.

Since I posted the problems experienced with PEMU and ASA emulation I decided that I wasnt going to waste any more time dealing with bugs. So I managed to convince my work that they should give me an ASA 5510 for my lab. With no questions asked, I had one two days later :)))

Practical study has been purely Volume I workbooks. I’ve gone through almost every single ver 5.0 lab (except the IPS ones), and gone through 1/3 of the VPN labs a second time. Today i’m working on the ASA labs again.

Some notes on the Volume I labs….they arent all correct. I have come across errors which have sent me down the troubleshooting path for long periods of time. Its not all that bad though, stuff seems to stick better when that happens.

Initially, I was overwhelmed with the amount of VPN variations there are, and I guess without knowing how to configure them all it seemed like every single one was going to take a while to master. Not that i’m a master yet, but when it all boils down…if you know ISAKMP and IPSEC then each variation is really straight forward. Things like, DMVPN and GET VPN are a piece of cake.

For the theory side, since I havent taken my written exam yet I read the entire CCBOOTCAMP written study guide. Its ok, not a bad primer for some topics, and a review of some legacy products etc that will appear on the 2.0 written, but probably not enough on its own. I also purchased the Complete VPN configuration guide & Security troubleshooting handbook; of which i’m halfway through the configuration guide (its quality reading!). SSL Remote Access VPN’s got a bit of a read, but most of its based on ASDM or SDM – The first half is a good intro though.

I’ve read the config guides from time to time, but i’m nowhere near the stage of trying to remember where everything is….that comes later :)

For CoD learning i’ve watched almost all the INE videos once – Unfortunately they pail in comparison to the R&S ones. They were packed full of almost every technology you come across (5 extra days content though!).

A special mention for video content goes to the Cisco Networker 2009 videos. My work purchased a subscription and there are two (so far!) really good 2HR videos:

Advanced Topics in Encryption Standards and Protocols
Presented by Saadat Malik who wrote Network Security Principles and Practices. He explains ISAKMP even better than he does in the book. If you can get access….I highly recommend. Try signing up for a free account, it may be one of the free ones available. reason why I say that is, when I had a free account it seemed to let me add a few videos to my profile then after a while I couldnt add any more. Deffinately worth a go.

Troubleshooting Firewalls
A really good explanation on packet flow through the ASA, troubleshooting tips and shortcuts, etc. Highly worth it. I’ll probably watch it again.

Overall, I think that progress is good. I’m hoping to do my first full scale lab soon.