CCIE Written done… now the work starts!

Well all that studying seems to have payed off a little, today I sat the CCIE R&S Written exam (350-001) and passed it!

Without going into any NDA-breaking territory the exam was actually pretty easy, partially caused I think by studying some topics at a much deeper level than I perhaps needed.

During my time studying for the written exam I mainly used the Cisco Press CCIE R&S OCG but also used the INE Adv Technologies videos for some of the topics that I felt I needed more details on.

At the moment I can’t decide whether to take a weekend off studying or whether to dive straight into the lab studies.

Doing what I do best I am setting myself a goal to have the lab ready for April ’12. Given my past record with meeting cert deadlines I’m guessing this might get pushed back, but not by too much hopefully.

Going forward from here I am going to try and stick to (more in content than time) the INE study plan as it seems pretty reasonable and I could do with some kind of structured plan, why create your own when someone has already gone to the trouble for you?

Security super notes – CCIE Written

My next topic for writing up my notes is the security section.

For this post and all posts following I will be using the CCIE blueprint from Cisco here (you may need CCO access to access that document but that is free).

My reasoning for structuring it like this is to make it easier both myself to reference and hopefully someone else will find it easier as well.

Some of the information is a little basic and will have been covered at CCNA and CCNP levels but seen as CCIE doesn’t actually have any pre-requisites I thought it best not to leave any stone unturned.

Security

Implement access lists

There are two types of access lists that can be used on Cisco platforms; the standard access list and the extended access list.

Standard access lists are a little basic in their use and can only match on the source address of the traffic you are matching.

Extended access lists differ from standard access lists in that they can not only match on both source and destination addresses but they can also match a whole plethora of other things such as L4 src/dst port number, DSCP marking, packet size etc.

Just like there are two different types of access list there are also two different methods of configuring them.

Firstly there is the numbered access-list method (which is the older method) where depending on what number you give to your ACL will depend on what type it is:

1-99        - Standard access list
100-199     - Extended access list
1300-1999   - Expanded standard access list (useful if you have >100 standard ACL's)
2000-2699   - Expanded extended access list (useful if you have >100 extended ACL's)

There is also the named access-list method in which the name that you give to the access list is completely agnostic to type of ACL it is. When you are using named access-lists you have to explicitly tell the CLI which type of access-list you are creating.

Things to remember about all ACL’s: – All ACL’s end with an implicit deny all – Order of statements in the ACL is critical (they match on a top down approach) Continue reading

Multicast mega notes – CCIE Written

With under a week to go until my CCIE written test it’s time to go over my notes and get some of them written up to get them fresh in my mind. Todays notes of choice are my multicast notes.

The notes may be a little sparse in places so if you can add anything or spot any mistakes please let me know.

Multicast notes

Common Multicast addresses

Multicast AddressDescription
224.0.0.1All host group which contains all devices on the same network
224.0.0.2All routers group which contains all routers on the same network
224.0.0.13PIM Version 2
224.0.0.22IGMP Version 3
224.0.1.39Cisco Auto-RP-Announce address
224.0.1.40Cisco Auto-RP-Discovery address

Multicast address types and ranges

  • Local network – Addresses in the 224.0.0.0 – 224.0.0.255 are assigned by IANA and are designated for applications that are to be used in the local network only and are to not be routed on the internet.
  • Internetwork control block – Addresses in the range 224.0.1.0 – 224.0.1.255 are assigned by IANA and are designated for the use of applications that should be routed over the internet (such as NTP, 224.0.1.1).
  • SSM address block – Addresses in the range 232.0.0.0/8 are reserved for the use by source-specific multicast applications.
  • GLOP addresses – Addresses in the range 233.0.0.0/8 are reserved for use by organizations who have been allocated an AS number, the second and third octets of the address are made from the 16-bits of the AS number.
  • Admin scoped addresses – The 239.0.0.0/8 range is considered private (much like the RFC1918 unicast address ranges) and therefore should NOT be see routing on the internet.

PIM (Protocol Independent Multicast)

  • Protocol independent means that it doesn’t matter which type of unicast routing protocol you use underneath.
  • There are other multicast routing protocols that do rely on particular routing protocols like M-OSPF (multicast OSPF).
  • There are 3 different types of PIM that are used, these are: Sparse mode, dense mode and sparse-dense mode.
  • Sparse mode supports two types of trees, the (*,G) tree and the (S,G) tree. The latter is more efficient as the traffic travels along the shortest path (also known as the SPT) whereas the shared tree can travel along a less than ideal route to the destination.
  • Dense mode as default runs in a (S,G) mode as it floods all traffic throughout the domain however this is less than ideal as it means that traffic can be flooded to places that do not need it. Dense mode does allow for traffic to be pruned however this is only a temporary action and therefore needs to be constantly refreshed.
  • On a shared LAN segment if there a multiple PIM routers then only one of them will forward the join/prune messages towards the RP, this role is called the ‘Designated Router’ and is elected by virtue of whoever has the highest IP is the DR.

    Continue reading