Understanding Technology One at a Time!!!

“CCIE #23707

Obviously I cannot go into many details here, but I do want to share my story in hopes that others will benefit in some way. It is long, but will probably be my last for awhile

First of all, CCIE has to be something you really want. There are many reasons to go for it: better job, more money, etc. That is fine, but underneath it all, you must have the desire to be a CCIE. I made many career choices and mistakes before getting somewhat settled in this industry, so don’t ever think this task is too big for you. The industry needs people that have the desire.

I first heard of the CCIE exam about 6 years ago when I started out towards a networking degree. It was never in my mind that I would go for it. It was only for the Elite. My degree consisted of a couple Cisco classes, and that was enough for me at the time. Shortly after the degree, I was doing technical support for Nortel Networks and really starting to dig the L2 and L3 technologies. I mean I LOVED IT! THIS WAS MY BAG! Nortel did not have much rep (or a declining one at least) in the industry and I decided to focus on Cisco networking. I got my CCNA near the end of my tenure there.

The desire to be CCIE started after I was CCNA, when I started going for CCNP. I peaked ahead at the CCIE blueprint and thought to myself, “this is stuff that I can handle, and stuff that I want to learn.” I knew CCNP was not required, but I took that path because I knew it would be good preperation towards that goal. It took me one year to get my CCNP and the day I passed my last exam I was already making notes on the blueprint and scouring the Internet for lab tips

I started my blog a few months later because I really had no focus as to what I was doing. I didn’t have any workbooks or anything, I just had the written guide, dynamips and my 3550/3560 switches. I played around with my own labs and blogged ideas. Mike Down at IPexpert found my blog and gave me good deal for some rack time and for the Blended Learning Solution. This was the turning moment as now I felt I had a real path to follow. I passed the written shortly after (about 6 months in) and then joined groupstudy and the onlinestudylist.

Around this time, so many people were passing, I felt like time was slipping away! I decided the best thing to do was ignore all the stories and rumors and focus on my own path.

I did all the volume 1, 2 and 3 labs in order. Took me about 6 months doing a couple every weekend, sometimes 3 or 4. Actually I jumped ahead to Volume 3 at times because they were graded and I wanted to see how I was doing along the way. Any issues or new technologies I ran into, I would break down to small scenarios and lab them and blog about them.

On my way to work I would listen to the audio bootcamp. I probably listened to each track twice. After Volume 3 I bought an IE mock lab and did both Assessor labs. If not anything else, these gave me confidence in my last month of preperation. I did well on all of them and the things I missed were mainly because I did not follow the questions properly. I spent my final week watching the VODs with Scott Morris. I watched ALL the videos in the final weekend, probably about 25 hours or more

The day of a lab I had huge headache. I popped some excedrin and some tylenol and refused any caffeine for fear of worsening it. I got to the lab a little early and there ended up being about 10 people there, 4 for R&S. My mind was a wreck, I felt like crap. The one thing that kept me going was my belief in my preperation. I knew what I had to do. If it’s one thing you will learn about taking the CCIE lab exam, it is to trust your preperation.

The procotor explained the deal with the open ended questions (to curb cheating) and to be honest, they were very simple. No tricks. He said one or two lines should be enough but you have 30 minutes and no documentation. I finished them in a few minutes with the only bottleneck being my slow typing skills.

I started reading the lab. It was almost 1 hour before I logged into a router. I kept a level head throughout. I heard stories of people saying they were so confident when they left, but the still failed. I understood them now but I did not want to be that way. I could see how this lab could defeat me. After 5 hours I was done, but I stayed until the end verifying everything 1, 2 or 3 times. Pinging everything, saving all the time.

One hour I left, I finally broke for a Mountain Dew! Boy did I need that. I was finding minor issues still 30 minutes left in the exam, I fixed a few but I really had to talk myself into relying on my configurations and instincts. I could see several ways of doing things and I had to pick one. I really think I saved at least 10 points in the last couple hours of verification. Do not leave early!

I watched a movie after the lab with my Dad who was in town that weekend. I got home at 10 or so and checked my email. The score report was ready. I was SHAKING. I had to re-type my ID and crap a few times to get it right. First thing I saw was “submit critique” or something like that. Then I saw “Congratulations…” or something. I didn’t believe it. Then I saw “PASS”…I still didn’t believe it. Then I saw #23707. It was official.

What a relief. It was wonderful journey and I learned so much. I met a lot of great people that I never expected to meet. I look through my blog archives and see how dumb I was! Just another noob, a little wannabe Cisco networker, a tiny little soul on the path to who knows where, a CCIE to be “

Share on Facebook

“At last it is my turn to write this email. I passed R/S on March 5th in San Jose on my fourth attempt. I won’t go into detail about my studies, but hopefully someone will find some of this info useful. So what was different about this time? I was more relaxed, and double checked everything twice. I did not try to rush thru the lab, instead I made sure all my configs were mistake free, and only found one small error on my recheck. I took almost the full 30 minutes to answer the open ended questions, read the whole lab, and drew all my diagrams before even touching the keyboard. The open ended questions are not that bad, and I do agree with Cisco that if you studied for your lab properly you should not have any problems with them.

I want to thank Anthony Sequeira from Internetwork Expert for putting me back on the right track after my last failed attempt. Anthony you are a great mentor and keep up the good work.

Good luck to all the candidates who are taking the lab in the near future, and the best advice I can give you is not to stress out. Just follow your plan, stay calm, and you will do great.

Robert Nowosadzki
CCIE # 23743″

Share on Facebook

“Hello,

I just wanted to say thank you all for the great questions, answers and advice I got from this forum. I remember the day when I first posted in groupstudy – http://www.groupstudy.com/form/read.php?f=7&i=121109&t=121109 and would like to say a big thanks especially to Joseph Brunner and Jun Kim. Also big thanks to my brother, Brian McGahan, Brian Dennis, Scott Morris, Petr Lapukhov, Himawan Nugroho, Scott Vermillion and others.
I passed the R&S lab in Brussels in the beginning of February, this year, on my first attempt. It took me 2-2.5 years to prepare (9-10 months for the written, and the rest for the lab). I used mainly Cisco Press books, blogs, IE’s CoD, workbook volume 1 and 2, IE’s forums, IPExpert’s v9 workbook and forums, Netmaster’s Catalyst QoS VoD, ASET labs and last but not least – GroupStudy. I didn’t have my own home rack, used dynamips, PEC and some 2960s I had access to in the academy I used to teach courses. Now I’ve got to pass the matriculation exams after high school and then I’m starting my preparation for the SP track.
Once again, thanks everyone for the great posts.

Pavel”

Share on Facebook

“I passed my R&S Lab on Mar 17. I would like to thank this group and its
members as this is a great group if you are studying for the exam because of
the wealth of information and the help other members give. I would especially
like to thank Scott Morris, Jared Scrivener, Scott Vermillion, Narbik
Kocharians and Anthony Sequeira for their very knowledgable posts which
answered alot of my questions when I could find the answers anywhere else.
Narbik, Thank you for your excellent bootcamp and workbooks. I would like to
also thank InternetworkExpert for their excellent materials as well. These
materials helped me do it all. Thanks guys!

Timothy Chin
CCIE #23866″

Share on Facebook

“Hello All,

I have waited for the opportunity to write this email. I passed my
CCIE R&S Lab yesterday in Lagos (Mobile Lab). The journey started in
Dec 2006 when I passed the written test. I managed to combine my
studies with tight work schedule as an IT staff in a bank. I had my
first attempt in April 2008 at San Jose. Midway into the exam I knew I
would fail. I could not have the strength to continue with the rest of
the exam. I came back to Nigeria angry with myself.

I went back to work swearing that I would not take the lab again.
Thanks to my friend Daniel who encouraged me to take some time off
studies and then give it a shot again. I decided to go back but I
needed time to prepare. Each time I remembered the distance I covered
traveling from Nigeria to San Jose California I shuddered.

I made up my mind finally in August 2008 to attempt the lab again.
This time around I paid more attention on the areas I felt I did not
do very well the last time. Then came the mobile lab. I booked and
worked tirelessly to make sure I pass it this time. I took the lab
Yesterday. After the Open Ended, I went through the whole questions
line by line. By lunch time I had reachabilty to all my routers and
was done with IGP and BGP.

I ate very little at lunch time because I kept thinking of the
remaining questions. I went back and was done 2 hours before time. I
went through my solutions from the beginning. I knew at that point
that I will pass. The proctor was good “Only when you ask he right
way”.

For the materials, I used InternetworkExpert Labs, Core Workbook, COD,
God!! That is a wonderful material and Narbiks. I wish to thank the
Groupstudy, I read and archived loads of emails. You guys are great. I
wish to thank Daniel. Most importantly, I wish to thank my wonderful
WIFE for her patience and understanding. She threw her weight behind
me all the way. I can play with my children once again.

My advice is: Know the Technology and Do as many labs as possible
especially InternetworkExpert 7,8,9,10,11 and back.

Henry Ugwuadu
CCIE#23824 (R&S)”

Share on Facebook

Here is the first one .. i was truly moved by his video of materials .. you can catch him at his official site

http://www.globalconfig.net/

“I know most of you have heard already, but if not, I passed the CCIE Security exam in RTP on March 13th, 2009. I wanted to take a moment to recap my journey.

I have been a Cisco Instructor for 8 years now. I have been teaching the CCSP track since it’s inception, and taught various courses of the CSS-1 prior to that. Although I was a CCSP, I didn’t take the CCIE Security Written exam until March 21, 2007. I passed with an 85 on my first attempt. I used the CCBootcamp written exam guide to prepare for that, along with my existing knowledge as a CCSP/Instructor.

Studying for the lab is a whole new ball game. It’s weird because there is a total difference between knowing the book material that Cisco tests you on for the Professional level certifications, and being able to teach it, and knowing the material that is on the CCIE lab exam and being able to implement it. Don’t get me wrong, I knew the material, and the concept of why things were happening were easy to me. What was difficult is putting it all together. When you teach an ASA class, IPS class, or any other security class for that matter, it doesn’t cover how all these things work together. Thats where the CCIE will get you!

Anyhow, I know people are wondering what material I used in preparing for the lab exam. I made a video to show you, mainly because I think the spread of material is impressive. Please do not get mad at me for killing a tree. In the future I’ll use PDFs. Also, forgive me for the quality of the video. I am to cheap to buy an HD camera. I made the video at 6-am so don’t expect much.

http://www.youtube.com/v/diV-TL39qJ8&hl=en&fs=1&rel=0&border=1

So, assuming you watched that video and know what I used to prepare, I’ll give you the run down of the lab.

First time was in San Jose. I was overwhelmed. I had a decent understanding but no strategy. I ran out of time and had maybe 50 points.

Second time was in San Jose as well. It went better than the first but still there were some grey areas for me and even though I took the InternetworkExpert Online Bootcamp and used Brian’s strategy I still was missing something.

The Third, and Final attempt was in RTP, North Carolina. There is no particular reason I switch to RTP. It’s not closer to me by any means. I live in Seattle. But I wanted something fresh. I stayed at the Wingate hotel which was great. The bed was comfortable and the rate was fair. I flew in the night before the exam. I arrived at the hotel at 9pm, took half of a sleeping pill (Melatonin) and crashed. I woke up refreshed and ready to go.

The hotel had a continental breakfast and I didn’t eat much but forced myself to eat a little. I stopped at Starbucks on the way, and headed over to the Cisco office. Now when you get there you should know that the building will remain dark until right around 7am. There is nobody there to meet you in the lobby. Someone from Cisco was taking the lab as well and they let me in the lobby using their badge. At about 7:10 the proctor came out. He was very nice and much more chatty than Tom (nice guy) in San Jose.

We were led back to the room and from there its your standard lab exam stuff. We broke at about 11 for lunch. I say about 11 because they cater in lunch and there wasn’t a set time. You still only get 30 minutes for lunch. I ate a bit and tried to work out some issues in my head.

I finished about 45 minutes early but left 15 minutes before the Proctor called it a day. That includes my clean up and so on. I didn’t use the last 45 minutes to do any extra verifications because I didn’t want to break anything. Then I went to dinner at the Angus Barn. I had Alaskan King Crab Claws, a 24oz New York Strip and an Oatmeal Stout. Pass or fail I was going to enjoy that meal.

The wait was excruciating. I didn’t get my results until about 8:30 on Sunday night, so if you are planning on taking the lab on Friday you should be aware of that.

Now that its over I am enjoying the fact that I don’t have a deadline staring me in the face, but I still love the technology and want to learn more. I think the next track that I am going to pursue is the CCIE voice, but I have the CCVP in between that I have to get up to Instructor level on. I already have the IPexpert CCIE Voice BLS and plan on renting from Proctor Labs.

The big kicker for me was the bootcamp at ipexpert and the labs i did after that. Without the information I gained from IPexperts Jared Scrivener I dont think I would have passed. Im not going to give away all of his tricks because thats what he gets paid to do. But Seriously, Jared- You are the man!.

Also I can’t say enough about the support that I received from Ted Wagner at Ascolta. He really stood behind me even though there were other things he probably wanted me working on.

Wayne Lawson at IPexpert was another key player in my success along with Matt Brooks, Neil Apolzan, and Drew LaPla.

I can’t forget to mention Mike Down. Before Mike started pinging me online I only owned the IPexpert Volume 4.1 and the Proctor Guide, and I wasn’t really looking at using IPexpert.

One last person I have to mention is my wife. She was patient with me even though the family would take a hit from time to time while I was studying. The CCIE is not easy on a family but the accomplishment and the job security afterwards was the payoff I was looking for. I think I got it. Time will tell. At least I have her if the other stuff doesn’t pan out.

Thats about it for this rant. I’m going to keep blogging about topics that come up in my classes as well as through the contact form. When I start to study for the Voice IE I’ll try to blog it all here as well. In the mean time I am going to spend some time posting on Network World for the CCNA Wireless candidates and catching up on my sleep/socializing/theocratic activities/yard work/home improvement projects/reading/DVR/family videos/familiy photos/email/projects at work/fitness/weight loss/rss feeds/staring into space/day dreaming/playing darts with tyrel/texting my daughter/emailing my mom/calling my grandma/netflix/and enjoying whatever comes my way.”

Share on Facebook

Hello everyone ..

This blog lists out various ccie success stories found on the internet and their way of studying it ..

if this stories belongs to one of you and you dont want them to be blogged mail or message me and i would be glad to remove them asap ..

I dont think it would hurt any one posting their success stories here but if it hurts or disturbs my heartful apologies and i will be more than willing to remove them asap

Best regards
Rakesh

Share on Facebook

The optional protocol qualifier
——————————-

> For icmp , the protocol qualifier an be echo , echo-reply or any of icmp packet types

> udp/tcp typcially uses port number specifications but tcp has an additional qualifier
called “eastablished”

> The “established” qualifier for all tcp matches all tcp packets that are a part of tcp
connection that is already set up , regardless of source or destination port

> The log keyword if used , then everytime that access-list entry is matched , a log entry
is produced . This is available only with extended acl

Reference : example acl’s wildcard bits *->
—————————————

> The number of values matched is a power of 2 . There are either 2,4.8,16,32,64,128 or 256
values can be matched together

> The starting address matched is a multiple of the number of values matches if you match 2
addresses, then the first address matched is a multiple of 2 (even) if ou match 4
addresses then starting address is a multiple of 4

>*even if you start a range with an address in the middle of the range , the router will
store and display that particular access-list entry with an address that starts the range
using the previous example , the router would change 192.168.34.0 0.0.3.0 to 192.168.32.0
0.0.3.0 . This property could cause confusion later when you debug an access-list problems

some rules:
———-

> For clarity , your matching rules should always give the base address of a range ,
followed by mask while any address within the range will work as the address , it is much
more understandable to start with the base value

> If you want to match some number of addresses that is not a power of 2 or that dosent
start at a multiple power of 2 , you have to write two or more access-list convering the
entries , part of range . an alternative to include more addresses in range

2.3.1 Good numbering practices
——————————

> just make sure you allocate one block of addresses or reserve a block of addresses for
present or future use

> let us say you want 4 ip’s to access telnet service , better assign 4 ip’s continuously in
one block rather than random ones . In this way defining an acl would be very easy

2.4 Building and maintanance of access-list
——————————————-

use of tftp is preffered for easy editing

to copy a file named routera using tftp we use

copy tftp://192.168.30.1/routera system:running-config

Generally performing the following steps everytime you configure a router with tftp will
greatly reduce security exposure

1. make access-list readable only by router
2. configure router via tftp
3. make access-lists unreadable from the network to other users using tftp

saving acl is simple again using tftp:

copy system:running-confg tftp://192.168.35.1/routera

steps for tftp security:
————————

1. make area writable by router
2. save config via tftp
3. make config file unwritable and unreadable fro the network to other users on tftp server

2.5 Named acl
————-

> To increase the number of acl available and to provide better more descriptive names more
recent versions of ios provide a facility called name acl

when creatig named acl , you first need to declare name and type

#ip access-list standard name
#permit -
#deny –

key word “ip” needs to be used first , type of acl “standard / extended” notice change in
prompt

Share on Facebook

2.2 Extended acl
—————-

Standard acl allow all or nothing

To do packet filtering at a finer level of granularity we need a way to extend the standard
acl to include things like protocol , port number , desitination ip

Understanding Tcp and Udp port numbers
————————————–

> Understanding tcp and udp port numbers is fundamental for using extended acl .

> With tcp a connection is set up, with udp there is no connection set up

> ports are specified as 16 bit numbers

telnet – 23
http – 80
dns – 53

> A set of four values :

source ip address
source port
desitnation ip
destination port
uniquely identify client / server relationships and enable clients and servers to talk to
each other without confusion

> The port numbers below 1024 are called “well known ports ” defined by IANA

> Services can live on non standard ports as long as both client and server processes agree
use those ports

ex:

policy set 101: http packets to host 192.168.35.1
policy set 101: ssl packets to host 192.168.35.1
no other packets

access-list 101 permit tcp 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0 eq 80
access-list 101 permit tcp 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0 eq 443
access-list 101 deny ip 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0

> Extended acl begin with “access-list” keyword , followed by a number between 100-199 which
is followed by permit/deny . This process is same for standard acl

> Things get different after permit/deny statements , extended acls specifies the “ip”
protocol to which the list applies

> Next we have 2 address/mask paris [which was single in standard acl] . The first pair
define the source and next pair define the desitnation

> The access-list ends with another protocol specifier , the port number ,”eq 80″ allow
packets with destination port 80

> To use access-list once the policy set is defined , we must apply against a router
interface .

int fa0/0
ip access-group 101 in/out (depends on the condition and where you are applying)

2.2.1 Some general properties of access-lists
———————————————

> extended acl lists entry changes / matches against two ip addresses as opposed to one ip
address for standard acl

> Mask of 0.0.0.0 are not optional for extended acl . router assumes 0.0.0.0 if standard acl
leaves off a mask

> Both have a implicit deny

> Ip address , wildcard mask matching and the implicit deny are common to all cisco
access-list structures and are important concepts in understanding acl

2.2.2 Matching ip protocols
—————————

other ip protocols can be specified with extended acl

access-list 102 permit 47 0.0.0.0 255.255.255.255 192.168.35.1 0.0.0.0

> ip protocol 47 is GRE (generic routing encapsulation) protocol. This protocol is used for
non-ip protocols such as novell ipx , apple talk through ip and by pptp , vpn protocol

2.2.3 More on matching protocols part
————————————-

We have created acl entries that have matched on destination ort of an udp / tcp packet. we
can also match on the source port . This is useful to avoid spoofed packets from entering

ex : ntp uses both source and destination udp port 123 . so writing an acl would look
like this

access-list 102 permit udp 0.0.0.0 255.255.255.255 eq 123 192.168.35.1 0.0.0.0 eq 123

>* The source port is placed after source ip address / mask

> ‘eq’ key word forces matching packets to have port equal to the specified value

> ‘gt’ a matching packet must have port value greater than specified value

access-list 103 permit tcp 0.0.0.0 255.255.255.255 gt 1023 192.168.35.1 0.0.0.0 eq 20

for dns server :
—————-

access-list 102 permit udp 0.0.0.0 255.255.255.255 gt 1023 192.168.35.1 0.0.0.0 eq 53

2.2.4 Text substitues for commonly used ports and tasks
——————————————————-

Certain configs are so common that cisco developed text substitutes instead of port numbers
or address mask pairs

The ip address mask pair

0.0.0.0 255.255.255.255 -> any

0.0.0.0 -> host

80 -> http
23 -> telnet
123 -> ntp
47 -> gre ( ip protocol)

2.2.5 generic format of extended access-list
——————————————–

access-list [listno] [p/d] [port no] [dest] [protocol] [logging]

the logging key word if present , it turns on a log of all packet information everytime the
access-list entry is applied

Share on Facebook

2.1.15 Access-list wildcard masks versus network masks
——————————————————

Generally for a network specified as a.b.c.d/n the access-list wildcard mask that matches
all addresses in a network wil have is in 32-n rightmost bits and 0 in the leftmost n bits

For a network , 192.168.32.0/16 , the acl wildcard mask that matches all addresses is
0.0.0.63

In a shorter way 255.255.255.255 – s.m = wildcard m

2.1.6 The implicit wildcard mask
——————————–

0.0.0.0 255.255.255.255

Since each bit is 1 in this mask , any ip address on any network will be matched

access-list 1 permit 192.168.30.1
access-list 1 permit 192.168.33.5

A o in the bit position indicates that there should be a match exactly that bit position

access-list 1 permit 192.168.30.1 0.0.0.0
access-list 1 permit 192.168.33.5 0.0.0.0

2.1.7 Sequential processing in access-list
——————————————

access-list 4 permit 192.168.30.0 0.0.0.255
access-list 4 deny 192.168.30.70

will not deny 192.168.30.70 as permit statement is encountered first

access-list 4 deny 192.168.30.70
access-list 4 permit 192.168.30.0 0.0.0.255

is the correct way to deny the host

2.1.8 Standard access-list and packet filtering
———————————————–

Standard access-list are used to control packet flowing throug a router . Network Admins use
standard acl in this fashion when certain hosts need total access to hosts on particular
subnet

To deny entire subnet 172.28.38.0
To permit 172.28.38.1
To permit 192.168.30.1
TO permit 172.28.0.0

access-list permit 172.28.30.1
access-list permit 172.28.38.1
access-list deny 172.28.38.0 0.0.0.255
access-list permit 172.28.0.0 0.0.255.255

To assign it to an interface :

int fa0/0
ip access-group 6 out

2.1.9 Standar access-list generic format
—————————————-

access-list [list-number] [permit/deny] [ip addr] [wildcard mask(opt)]

Share on Facebook