My CCIE Study Plan / Strategy

What I am currently doing

The real challenge with preparing for the CCIE lab exam is the fact that I work weekdays, 9am to 5.30pm. I also play football every Wednesday evening and I’m at the gym after work on Tuesday, Thursday and Friday evenings with my other half.

I’m currently going over INE Volume 2 configuration labs, doing one sometimes two sections a night during the weekdays. I typically do this from 8/9pm to 11pm, sometimes till 12am each weekday (approx 2-3 hours each evening, with the exception of Friday evenings as this is ‘date night’ for me and my significant other).

I am also fortunate enough to have found a study partner so we typically do a Skype conference and Team Viewer session, alternating the driver seat of the command line. This keeps it interesting and motivating. Doing one to two section an evening keeps it fresh and allows us both to discuss the task and bounce ideas.

I then spend an hour of that time to make notes and then transpose those notes to this blog which helps me better retain the information.

I also use my lunch break at work to go over videos and information on topics that I found to be outside my comfort zone, again taking notes and updating this blog.

Saturdays are used to finish up the remaining sections, if this has not yet been completed, otherwise I take the weekend off and spend time with my partner, family and friends (very much needed).

This method is really working well for me and I’m currently doing one lab a week, breaking it into sections which helps keep it short and sweet without getting that ‘drained’ feeling. There are 8 sections in a lab, so doing one to two sections a night is very realistic and feasible.

What I am planning on doing

I plan to carry on doing this until I finish all 20 INE volume 2 labs (ignoring the troubleshooting sections). I will then spend 4 hours each evening in the weekday doing ‘timed’ 4 hour INE volume 3 labs by myself to increase speed, there are 10 labs so I should be able to finish this in one week (using the weekend also).

The next step is to then spend 4 hours each evening in the weekday doing INE volume 4 troubleshooting labs with my study partner. We will do a ‘ticket’ each to keep it interesting and I will also take notes and update this blog. As there is only 10 labs, I expect to finish this in one week, using the weekend if needed.

The last phase is more endurance than anything else. I have booked of a solid month off from work which I plan to the following;

• Do all the troubleshooting section of INE volume 2 (20 sections, 2 hours each).

• Do an INE  8 hour mock lab and use the  score sheet to identify weak areas and improve these areas by doing specific corresponding INE volume 1 lab and using video training and other resources to strengthen these areas.

• Repeat this step with new INE mock labs until I’m getting 80+ points and feeling really confident.

• Do one mock lab from IPExpert to see how I do using material created with a different frame of mind.

• Potentially do a bootcamp with INE , Narbik or IPExpert, whoever is doing one in London, I say potentially, as I will only do this if the price is right (I have spent way too much money already)  and if I  feel that I really need it – which I doubt I will need it – Confidence in my own ability which everyone needs (Part of the CCIE lab is not giving into your fears and believing in yourself).

• Go over my blog and revise the short-hand notes I have made. This should be no more than an hour a day.

• Review INE Brian McGahan 5 day mock lab online workshop and CBT Nuggets Jeremy Cioara old v3 8 hour practice lab video to see how the experts do the lab.

• Get very familiar with where things are on the Cisco DOCs site (mainly locations).

• Couple of days rest and then attempt the CCIE lab exam.

What I have done so far

• November 2010 – I have gone over both volume one and volume two of Narbik workbook on GNS3 (skipped all of layer 2 section and Cat QoS sections).

• December 2010 – I have done the volume 1 warm up phase as outlined hereon INE blog on GNS3, again skipped anything to do with layer 2. I have also started the INE Volume 2 labs with my study partner on real INE rack.

• January  2011 – Volume 2 labs, notes, blog, video on demand training.

• February 2011 – Break (Virtually no study time due to work commitments)

• March 2011 – Break (Virtually no study time due to work commitments)

• April 2011 – Volume 2 labs

• May 2011 – Volume 2 labs

Others things that ‘helps’

• I also play the INE R&S audio bootcamp when I’m driving, when I’m in the gym (even on the treadmill) and I have it playing when in bed and fall asleep with it playing on. More importantly when I do play the audio, I don’t really concentrate on it but I’m sure there is a sub-conscience retention trick here because sometimes when I tune in for a few minutes I know exactly what the guy is going to say next…So just having it on in the background, I definitely pick up a few things and I constantly surprise myself!

• If it is a quite day in the office, I typically watch an IPExpert free vLecture from Marko which I thoroughly enjoy and find that it really re-enforces my understanding. I also plan to look at some of the free Seminar from INE too.

• I manage a couple of IPVPN networks using Cisco CPE, so I get some exposure which helps. I also work with other vendor technologies in the networking and security space, which also helps a bit.

• In addition to my BSc degree in Networking, I have done my CCNA, CCNP and CCIE Written studies back-to-back, uninterrupted so my fundemental and foundation knowledge is very strong, which certainly helps.

• My partner is in her final year of university, so her time is focused on her project which means the pressure of neglecting her for my studies is very minimal!

• I have subscribed to a couple of CCIE forums and try to be as active as I can which really helps but just reading them on my iPhone is a sweet way of gaining extra knowledge.

• I also spend 5 minutes here and there looking at my RSS feeds, which hooks in to INE, IPExpert, Cisco, Jeremy Cioara blog and other CCIE candidate blogs which I feel helps.

• Train Signal Chris Bryant 3 minute CCNA and CCNP technical YouTube videos are very quick and easy to watch and always hits the high notes in my head, plus it’s free!

• Blogging! I find maintaining this blog really relaxing and I thoroughly enjoy ‘blogging’. I think it really helps, especially when I scribble my notes on paper and then type it up, I feel that my memory really holds on to the information.

• Working out in the gym really keeps me mentally sharp and I feel standing up for 8 hours in the lab will be a breeze! Also as part of my quest to get a really ripped and toned physique, I am eating so many tins of tuna a day for the protein content that I’m sure it’s doing a disk de-fragmentation and optimisation of my memory! Tuna is known as brain food, brain power and brain health

Lab Target

May/June 2011 – I hope my study plan and this blog helps other aspiring candidates out there.

Contingency plan

Yes, every strategy should include a contingency plan. The goal is to pass on my first attempt, however if I do fail my first attempt I will analyse areas where I failed  and definitely go on a bootcamp with a focus on these specific areas. As my study approach uses a number of vendor materials, mostly being INE-centric, I will most likely attend a bootcamp with IPExpert just as I feel a different mind set will play to my advantage (plus I’m also impressed with some of the vLectures I have seen from their instructor Marko). I will also purchase one of IPExpert’s workbook that focuses on labs and give that a real go followed by an INE/IPExpert mock lab  before doing my second attempt.

Cisco Instructors League Table

Okay this is just a bit of fun, but essentially the following is a list of Cisco instructors that I have rated based on materials I have personally seen/used and how engaging and easy it is for me to absorb their presentation of these materials (typically going on video presentations rather than workbooks etc)

Please post your ‘league table’ in the comments, it will be interesting to see other peoples ‘rankings’ on Cisco Instructors.

Any instructors name that does not appear on this list is purely because I have yet to personally see / review their material.

Also it has to be said, this is my own personal ranking and does not apply to everyone! Each instructor are brilliant but my table lists them in order for me based on the fore-mentioned criteria. Based on the same criteria, this may be different for you.

1) Jeremy Cioara from CBT Nuggets

• He makes Cisco certification fun and very attractive! He’s the reason why I chose this path! He’s both my role model and my hero! All geeks should aspire to be like Jeremy! What really makes Jeremy special is the analogies he uses to explain technical concepts! I think everyone remembers the Star Trek Spock and WRED/QoS analogy!

2) Marko Milivojevic from IP Expert

• I like his white board explanations and the fact he builds everything from the ground up in his vLectures (and his frequent moans about Adobe – Classic!)

3) Keith Barker formerly from INE

• His video companion series are really engaging to watch. I like that he will show you more than one way of verifying things. Watching people on the console can sometimes be boring, but Keith always injects just enough humour to keep you watching more.

4) Anthony Sequeira from INE

• His enthusiasm and passion for the subject really shines through. He’s also easy on the ears!

5) Joe Astorino from IP Expert

• To be fair, I’ve only seen one of his presentations which is a vLecture on IPV6. But I thought it was real good. Hope he does more!

6) Kevin Wallace from Cisco

• He is a really good instructor, however I do find that his material, though very well presented, leaves me with a number of unanswered questions. Maybe because his videos are designed to be very brief but to the point, more ideal to those nearer their exam date.

7) Chris Bryant from Train Signal

• Chris goes into real granular details which is a good thing. I used a Chris and Jeremy combo when tackling my CCNP and it went hand in hand. His FREE 3 minute YouTube videos are really good to watch as a quick refresher!

8 ) Tyson Scott from IP Expert

• I find Tyson’s blogs and emails very engaging and interesting to read.

9) Scott Morris formerly from IP Expert / INE

• He clearly knows his stuff, however I do find myself confused a lot of the times when I listen to his audio classes and his older BLS videos.

In-Lab To Do List

• Do not spend more than 30 minutes reading the lab task and drawing a rough sketch of the network diagram.

• If you want to test / try something that violates the exam, make sure you save your config, do what it is you want to do and then revert back by using configure replace nvram:startup-config force

• Use a TCLSH script after redistribution and also once at the end of the lab, especially when doing the security section.

• If you really can’t do a task at all, then cheat it. Do it the way you know I.e. if it says don’t use a route-map, then use a route-map. This way you’ll loose points for this task but won’t loose points for future tasks that relies on this task working.

• ALWAYS VERIFY EVERYTHING! EVERY TASK! EVERY COMPONENT! EVERY CONFIG!!!

• Don’t spend an excessive amount of time on a non-core task that doesn’t affect critical network operations.

• Skim read each task and note the task number and in one sentence what you think it is asking for e.g. 3.2 OSPF virtual-links. This will help also connect dependant tasks, e.g. 4,3 MPLS peering relies on 3.3 OSPF loopback advertisements.

• Create three columns, Column one for task numbers you definitely think you got in the bag, Column two for tasks that you have completely skipped or incomplete and the final column being one that you are not to certain that you have completed correctly.

• enabled debug ip routing on all routers.

My IPExpert Video Competition

A few months back, IPExpert held a contest to win a free CCIE bootcamp.

To enter the contest submit in your most creative way either photos, videos, short stories or tag lines, show us how much you love IPexpert.

Here is my video submission – Enjoy.

CCIE Inspiration

Some links I like to read to help keep me motivated when the going gets tough and that road to CCIE-dom justs seems like a million miles away!

CCIE Certification – Why it’s worth doing it!

CCIE Certification – Why it’s not worth quitting when you have come this far!

CCIE Certification – It is trial by fire to prove you are a network elite

Zone Based Firewall Lab Tips

• Define Zones – zone security WORD . This is where you define the zone. think of it as a container.

zone security IN (unique name)
zone security OUT (unique name)

• Classify the Traffic – class-map type inspect WORD. Using MQC Logic and Class Maps to classify the traffic

class-map type inspect match-all HTTP (unique name)
 match protocol http

• Define the Inspect Policy – policy-map type inspect  WORD. Using MQC traffic to specify how to treat the classified traffic. Here we are treating as a CBAC with the INSPECT key word. Other actions can be PASS, DROP etc

policy-map type inspect OUTBOUND_TRAFFIC (unique name)
 class type inspect HTTP (name of class-map above)
  inspect

• Associate the Policy to the Zone to a Pair and specify the Service-Policy – Here we are saying what zones will be associated with this ‘security rule’

zone-pair security OUTBOUND (unique name) source IN (name of Zone above ) destination OUT (name of zone above)
 service-policy type inspect OUTBOUND_TRAFFIC (name of Policy-map above)

• Associate the interfaces to a zone. Here we will specify what interfaces are what members of the zones we have defined.

interface Ethernet1/0
 zone-member security IN

interface Serial1/0
 zone-member security OUT

• Verification 

show policy-map type inspect zone-pair session  This will show what is hitting the policy and what is defined
show class-map type inspect This will show all the class maps defined
show policy-map type inspect This will show the policy map actions against the class maps

GNS3 – My Technical Test for Employers

I had an interesting requirement from a customer.

They asked me to implement a GNS3 server and design a 30 – 45 minute test that they could administrate to their candidates seeking a technical position with in their organisation.

The position was for a 2nd line network engineer role.

The test was to be aimed at CCNP level or equivalent, however I was to design it so that it is easy enough for even the rusty CCNP / engineers and hard enough for the complete brain dumpers and blaggers that serve to only dilute the IT industry with poor quality skill sets.

The main purpose of this test is to speed up the HR process by filtering the stronger candidates from the weaker candidates.

The successful candidates would then go ahead and progress to a final interview.

Here is the GNS3 test that I created for the purpose – To be honest, even a highly proficient CCNA engineer could do this 🙂

The .net files and pre-configuration files can be download from here

————————————–

Configure the network as per the diagram and complete the tasks below.

• Do NOT create any additional interfaces
• Do NOT use any static routes or policy-based routes unless asked.
• Ignore any duplex mismatch messages and do NOT modify any of the ports speed or duplex configurations.

Task 1: Configure an 802.1q trunk between SW1 fa1/15 interface and SW2 fa1/15 interface.

Task 2: Configure a static ether-channel 802.1Q trunk between SW1 and SW2. Both switches fa1/10 and fa1/11 interfaces should be members of the same LAG.

Task 3: Ensure all VLAN traffic successfully goes over the fa1/15 trunk and NOT the ether-channel trunk unless the fa1/15 trunk is down. Do NOT use backup interface to accomplish this.

 

Task 4: R1 and R2 should be put into VLAN 10 and should be able to ping each other fa0/0 interface. You must use the legacy vlan database command to create the VLAN.

Task 5: Ensure VLAN 20 traffic is never permitted to traverse the fa1/15 trunk should that trunk link become the active trunk link

Task 6: Ensure SW1 has the highest probability of always being the root bridge for VLAN 10, even if another switch is introduced into the network.

 

Task 7: Configure OSPF area 0 between R1 and R2. OSPF hellos should only be sent out their connected subnet interface ONLY. Ensure R1 loopback 0 interface can ping R2 loopback interface.

 

Task 8: Configure EIGRP 100 between the connected links of R1 & R3 and R2 & R3 ONLY. Ensure R3 REDISTRIBUTE its loopback 0 interface ONLY.

Task 9: Mutually redistribute between OSPF and EIGRP on R1 and R2. All routers (R1, R2, and R3) should be able to ping each others loopback 0 interfaces.

 

Task 10: Without using static routes or policy-based routing, ensure R2 is able to traceroute to R3 loopback 0 interface over its directly connected link. Don’t worry about affecting the optimal routing of other routes.

Task 11: You must deny R1 from being able to telnet to R2 only if R1 sources the telnet request from its fa0/0 IP address.

 

Bonus Task: on R2, Redistribute RIP into OSPF and RIP into EIGRP. Ensure you account for any potential loops. All routers should have full reachability to each other loopback 0 interfaces including R4 Loopback 0 interface.

 

OSPF Sham Links Lab Tips

• Without Sham Links – If two CE sites that are in the same OSPF area, in addition to the MPLS, are also connected by another link i.e. R3 is connected to Area 1 in Site 1 and Area 1 in Site 2, then this is known as the BACKDOOR link.

• Traffic will be preferred over the backdoor link as routes will appear as INTRA-area routes and therefore will not prefer the MPLS link as those routes are seen as INTER-area or External routes (see below).

• If both CE sites are in the same area, routes via MPLS will still be seen as Inter-Area routes due to the redistribution between MP-BGP and IGP into the VRF.

• domain-id needs to match on both ends for routes, as per above, to be seen as Inter-Area routes otherwise it will be seen as External routes when redistribution occurs between MP-BGP and IGP.

• With Sham Links will create a ‘virtual link’ between PE routers so that it is an extension of that area, i.e. say area 1. This now means the MPLS routes are now seen as INTRA area routers and or we need to do to prefer the MPLS link is to potentially manipulate the OSPF Cost (depending on link speed).

• Building the Sham Link needs two /32 loopback addresses that has to be advertised by BGP inside the vrf.  This loopback must always be part of the vrf (ip vrf forwarding VRFNAME).

Click here for an excellent short video that explains sham-links and the above very well

NAT Lab Tips

The Law of NAT

Inside to Outside

• A route to the destination prefix must exist before NAT can occur – Seeing nothing under show nat translations is a good indication of this.

Outside to Inside

• NAT will occur first and then check the route-table for routing purposes

BPDU Filter Lab Tips

• BPDU Filter at the Interface Level will stop BPDU from being received on that interface and sent out on that interface.

• BPDU Filter at the Global Level will stop BDPUs from being sent out on all portfast enabled interfaces (it will send a few initially though to detect if the other device is running spanning tree). It should also be noted that it does not filter BPDU it if it is received on the interface, this is because if it is received the port will lose it’s portfast status anyways.

• spanning-tree portfast default & spanning-tree bpdufilter default at the Global Level will allow the switch to automatically figure which interfaces should be edge ports by looking at interfaces where BPDUs are not coming in, which in turn means we will not send BPDUs out (BPDU filter). If we do recieve BPDU inbound, we will take this port out of portfast and disable the bpdufilter. Overall we figure out which interfaces should run portfast and which ones should not and then for the ones that are running portfast, we will kick in bdpufilter so that we do not send spanning tree information down the link (as there should be no reason too as these should be hosts etc and not switches on the other end of the link). running these two features together leaves you open to a layer 2 man-in-the-middle attack whereby the attacker becomes the root so that traffic is transit and can be sniffed.

The below URL is a link to an excellent video from INE describing the above.

BPDU Filter Explained 2011, 13 minutes by BM – INE

IP Bridging Lab Tips

• Need to enable this at the global config line with bridge irb

• bridge 111 protocol ieee needed so that spanning-tree can function for the bridge-group.

• Any protocol that needs to be routed, e.g. IP, needs to be specified with bridge 111 route ip

Catalyst QoS Lab Tips

• Enable QoS on a  switch with mls qos at global config.

• mls qos vlan-based under physical interfaces will….

EEM Lab Tips

• Check that no other EEM process is running before configuring using show event manager policy registered.

• Create a process with event manager applet MY_PROCESS.

• Applets are just IF and THEN statements. IF is a match and THEN is an action.

• The IF Statement: event cli pattern “.*interface loopback.*” sync yes – Here we are looking for somebody typing on the CLI ‘interface loopback’. The [dot/period] means wildcard or anything and the [asterix] means zero or more occurrence of the [dot/period].

• The THEN Statement: Perform the following commands to shutdown the interface
  • action 1.0 cli command “enable”
  • action 1.1 cli command “configure terminal”
  • action 1.2 cli command “$_cli_msg” (variable to get to the same interface)
  • action 1.3 cli command “shutdown”

• Verify with debug event manager all

WCCP Lab Tips

• Typically two lines of CLI. One to redirect and one to listen to WCCP members join requests etc.

• redirect-list is the access-list corresponding to the subnets you wish to redirect.

• group-list is the access-list corresponding to the WCCP member(s).

• Configure at the global command and then configure at the interface to specify A) The Redirect [ip wccp 99 redirect in] and B) The listener [ip wccp group-listen].

• show ip wccp to verify.