CCIE Pursuit Blog

February 5, 2008

CCIE Blogs: CCIE In 3 Months

I’m still working on my latest posting of newly discovered CCIE blogs, but I wanted to post about the CCIE In 3 Months blog.  This blog is run by a recently minted Routing and Switching CCIE who undertook a Herculean task (doubly apt since the blogger is Greek like Heracles) of passing the CCIE lab exam in 3 months from start to finish.  I am working my way through his posts now, but I wanted to point you to some of his posts. 

CCIE Lab – The chronicle of success – an excellent blow-by-blow account of his lab experience and the days leading up to it.

CCIE Lab – Things i didn’t do – There are some surprises here, such as not using a workbook.

CCIE Lab – How much money it costed – self explanatory.  :-)

My CCIE in numbers – an interesting list.  My favorite examples:

0 tasks unanswered in the CCIE Lab
1 CCIE Lab attempt
2 CCIE Assessor Labs
3 months of preparation
7 hours of mp3 personal recorded material
10 questions to the proctor during my CCIE Lab
11 candidates on the same room during my CCIE Lab
13 GB of HD space used for Dynamips/Dynagen practicing
15 days of complete isolation
16 hours max time spent on a single day during my practice
18 hours of Rack Rentals
20 days missing from my work
25 minutes max time spent on a single task during my CCIE Lab
28 hours spent until completing IE’s sample lab
30 seconds min time spent on a single task during my CCIE Lab
45 net files used for Dynamips/Dynagen
53 GB of HD space used for all my CCIE material
68 runs of Windows calculator
80 points average on online evaluation labs
158 pages of handwritten notes
180 hours of reading books before starting practice
342 config files created by Dynamips/Dynagen
390 minutes max time spent on a single task during my practice
528 hours of practicing with Dynamips/Dynagen
820 clicks on Cisco’s online DocCD
1380 pages of printed material
3698 euros totally spent
18883 CCIEs before me (1025 was the first one)

Congratulations to Tassos for completing such a difficult task in such a short amount of time.  I strongly suggest surfing over and checking out Tassos’ postings.  .You can even cast your vote on which certification he should pursue next.

Status Update: 27 January – 03 February

It had to happen sometime, but this weekend I completely dropped the ball on my studies.  I started the week out strong with some rare mid-week rack time, but ended up only getting about 4 hours on the rack over the weekend.  I really couldn’t get started on Saturday.  Between ennui and getting sucked into issues at work (work was really hectic last week) I only managed 4 hours on the rack.  I vowed to make up the time on Sunday.

I went out Saturday night to get together with a couple of friends that I haven’t seen in years.  My Google calendar had this event running from 6 pm – 8 pm.  Eat, shoot the shit, and get back home.  Enter the $3 margarita.  Needless to say, the night stretched way into Sunday morning.  Sunday my head was absolute mush.  I attempted to do some labbing, but could never get started.  I gave up and watched the Super Bowl.

Here are my goals from last week: 

Finish Volume II lab 6.  Redo Volume III lab 1.  Do the Volume I BGP labs.

I finished Volume II lab 6.  That’s all I finished.  This was a very good lab.  It was the first difficulty level 7 lab (equivalent to the difficulty of the actual lab) I have attempted.  It was a tough lab, but very fair.  I am still messing up enough that I have no chance of passing, but I’m not hitting much that I don’t know how to configure.

This Wednesday I have a day off from work.  I have rented some rack time and will attempt Volume I lab 1 as a mock lab.  I will simulate the lab enviroment by doing the lab from beginning to end without any resources except the DOC in an 8.5 (30 minutes for lunch) block.  Although this is the easiest of the Volume II labs (difficulty rating of 5) it will at least give me some idea of where I’m at time-management wise.  It will also be the first lab that I have attempted where I will not be verifying my solutions at the end of each section.  So an early mistake will probably go unnoticed.  I will not be blogging the lab with the detail that I have for the other labs.  I will eventually redo this lab and blog about it at that time.

I am also going to commit more time to reading.  I started rereading the OSPF chapter(s) in Routing TCP/IP again.  This is probably my third time through this material, but I am finding that I still pick up new bits each time as well as fortifying the stuff that I already know.

Goals for this week:  Do Volume II lab 1.  Read OSPF chapter in Routing TCP/IP.  Redo Volume III lab 1.

Days Until Lab: 117
Readiness (1 to 10): 2
Lab Hours This Week 10
Study Hours This Week (estimate): 3

Internetwork Expert Volume II: Lab 6 – Section 3

Interior Gateway Routing – 24 Points

3.1 OSPF

Basic hub-and-spoke OSPF task:

“Do not use the ip ospf network statement on any of these devices.”

r1(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID, Network Type NON_BROADCAST, Cost: 64

r2(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID, Network Type NON_BROADCAST, Cost: 64

r5(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID, Network Type NON_BROADCAST, Cost: 64

Neighbor statements on the hub and “ip prio 0″ on the spokes will take care of the job.

r1#sh ip os neig

Neighbor ID     Pri   State           Dead Time   Address         Interface        0   FULL/DROTHER    00:01:54    Serial0/0        0   FULL/DROTHER    00:01:46    Serial0/0

3.2 OSPF

There were a TON of subtasks on this one.

You’ll need to remember that you changed the MTU size on sw3 and sw4 back in task section 1 as you’ll need ‘mtu-ignore’ on r4 and r5.

There are a ton of redistribute connected with route-maps as well.  You’ll need to use redistristribution rather than configuring ‘ip ospf x area y’ under the loopback 0 interfaces because the switches don’t currently support that function yet.

route-map CONN->OSPF permit 10
 match int lo0
 set tag 101
router os 100
 redist conn sub route-map CONN->OSPF

You are asked to advertise r5′s loopback 0 as well but cannot use redistristribution or a network statement under the OSPF process.  You can configure this under the loopback 0 interface.  No area is specified, IE used area 0 (so did I).

r5(config)#int lo0
r5(config-if)#ip ospf 100 area 0

3.3 OSPF

Another task with a lot of configuration.

“Traffic from sw2 to VLAN 7 should transit the Serial link between r2 and r3.”
“In the case that the link between r1 and r3 is down traffic from sw1 to vlan 7 should transit the ethernt link between r4 and r5.”

vlan 7 is on sw1

sw2#sh ip route
% Subnet not in table

sw2 is in area 48 which does not have a connection to area 0, so we’ll need to build a virtual link first to get that route to sw2.  As a matter of fact, we’ll need need to build a number of virtual-links to complete our OSPF domain.  After connecting all areas:

sw2#sh ip route
Routing entry for
  Known via “ospf 100″, distance 110, metric 68, type inter area
  Last update from on FastEthernet0/18, 00:14:33 ago
  Routing Descriptor Blocks:
  *, from, 00:14:33 ago, via FastEthernet0/18
      Route metric is 68, traffic share count is 1


Type escape sequence to abort.
Tracing the route to

  1 0 msec 0 msec 0 msec
  2 8 msec 0 msec 0 msec
  3 34 msec 25 msec 34 msec
  4 58 msec 51 msec 58 msec
  5 59 msec *  51 msec

So I need to make r2 and r1 prefer the path to r3 – rather than the FR.  I can do that with cost or change the bandwidth (indirectly change cost).  The Ethernet connection from r4 to r5 will be used only as a last choice because I cranked up the cost:

r4(config-subif)#ip os cost ?
  <1-65535>  Cost
r4(config-subif)#ip os cost 65534

r5(config-router)#int fa0/1.45
r5(config-subif)#ip os cost 65534

With Frame Relay connection up:


Type escape sequence to abort.
Tracing the route to

  1 0 msec 9 msec 0 msec
  2 msec 0 msec 8 msec
  3 msec 9 msec 0 msec
  4 8 msec *  0 msec

With Frame Relay down:

r3(config)#int s0/0:0


Type escape sequence to abort.
Tracing the route to

  1 msec 0 msec 8 msec
  2 msec 0 msec 0 msec
  3 8 msec 9 msec 0 msec
  4 8 msec 9 msec 8 msec
  5 8 msec *  0 msec

This is a pretty easy to lose track of your IGP build because the last two tasks have you building buttloads of areas.  Make sure to look at your IGP diagram and figure out where your virtual-links need to be built.

3.4 OSPF Filtering

“Configure the network so that r2 filters all routing advertisements to sw1 with the exception of a default route.”
“Do not use a distribute-list or prefix-list to accomplish this.”

Sounds like a stub network to me.  Now to decide which flavor of OSPF stub to use.

We are redistributing int lo0 on sw1:

router ospf 100
 redistribute connected subnets route-map CONN->OSPF
route-map CONN->OSPF permit 10
 match interface Loopback0
 set tag 71

We’ll need to use NSSA with a default route.

area nssa

I had the right idea, but I missed the ‘no-redistribution’ keyword

 (Optional) Used when the router is an NSSA Area Border Router (ABR) and you want the redistribute command to import routes only into the normal areas, but not into the NSSA area.
 (Optional) Allows an area to be a not-so-stubby area but not have summary routes injected into it.

The IE solution guide says that the last two subtasks (see above) means that that sw1 should not see a specific route to sw1′s loopback.  I did not get that from reading the task, but it’s obvious that is what is meant if you look at the OSPF routes on sw1 without the no-redistribution keyword:

area 27 nssa no-summary (on r2):
sw1#sh ip route os is subnetted, 2 subnets
O N2 [110/20] via, 00:00:17, FastEthernet0/14
O*IA [110/2] via, 00:00:22, FastEthernet0/14

area 27 nssa no-redistribution no-summary (on r2):
sw1#sh ip route os
O*IA [110/2] via, 00:00:04, FastEthernet0/14

The solution guide has a very detailed write up about this task.

3.5 OSPF Authentication

All area 0 adjacencies should use MD5 hash and all non-area 0 adjacencies should use a clear-text password.

area authentication

 (Optional) Enables Message Digest 5 (MD5) authentication on the area specified by the area-id argument.
Type 0 authentication (no authentication)

ip ospf authentication-key

ip ospf authentication

The biggest pitfall in this task is that you need to remember that OSPF virtual-links are area 0 links (and will require md5 authentication in this task).  Don’t get thrown off by the fact that the virtual-link command shows the area that the link is transversing (i.e. ‘area 12virtual-link′) and think that you should apply the authentication method for that non-zero area.

3.6 Default Routing

You’re asked to inject a default route into the OSPF domain on r3 with this stipulation:

“In order to prevent the unnecessary forwarding of traffic that will eventually be dropped, ensure that r3 only advertises this default route if it has an active connection to either bb2 or bb3.”

I was completely lost on this task.  I knew that I needed to use ‘default-information originate’ to inject the default route, but I didn’t know how to make that route conditional.

This is one of those case where you can harvest some points from the DOC:

default-information originate (OSPF)

route-map map-name
 (Optional) Routing process will generate the default route if the route map is satisfied.

3.7 RIPv2

“r3 should not accept any routes from bb3 that have an odd number in the first octet.”

Sweet.  I’ll write an ACL and us an offset-list to poison those routes…..or not:

“Do not use a distribute-list or an offset-list to accomplish this.”

Shit.  What’s the third way?  I got stumped on this one and I really shouldn’t have been:

distance (IP)

r3#sh run | sec router rip|access-list
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/1
 distance 255 69
 no auto-summary
access-list 69 permit

r3(config)#do sh ip route rip is subnetted, 4 subnets
R [120/1] via, 00:00:04, FastEthernet0/1
R [120/1] via, 00:00:04, FastEthernet0/1
R [120/1] via, 00:00:04, FastEthernet0/1
R [120/1] via, 00:00:04, FastEthernet0/1 is subnetted, 4 subnets
R [120/1] via, 00:00:04, FastEthernet0/1
R [120/1] via, 00:00:04, FastEthernet0/1
R [120/1] via, 00:00:04, FastEthernet0/1
R [120/1] via, 00:00:04, FastEthernet0/1

r3#sh ip route rip is subnetted, 4 subnets
R [120/1] via, 00:00:02, FastEthernet0/1
R [120/1] via, 00:00:02, FastEthernet0/1
R [120/1] via, 00:00:02, FastEthernet0/1
R [120/1] via, 00:00:02, FastEthernet0/1

I’m not sure why IE redistributed r6′s lo0 into RIP.  The subtask states:

“Advertise r6′s loopback 0 into RIP.”

The IE solution shows the network advertised under the RIP process as well as the loopback 0 interface redistributed (via connected) into RIP.  Strange. 

I’m not the only one confused by this: 

Task 3.7

3.8 IGP Redistribution

“Redistribute between OSPF and RIP on r3.”

This has to be the easiest IGP redistribution scenario yet.  I only have to deal with RIP and OSPF and

I’m tasked with mutual redistribution on a single device.  Of course there are these requirements:

“All routers in the OPSF domain should have a longer match for r6′s interface loopback 0.”
“No other routes should be redistributed from RIP to OSPF.”


IE says that this means:

“…simply means that RIP should be redistributed into OSPF, but when RIP is redistributed into OPSF the only prefix the should be allowed is r6′s loopback 0 network.”

Lab 6 Task 3.8 IGP redistribution

Task 3.8

Rereading this task (after messing up my configuration) I understand it now.  The last subtask specifies that only r6′s loopback should be redistributed from RIP to OSPF.  This task was like an optical illusion to me.  Once I understood what they wanted, I couldn’t figure out how I had missed it before.  :-) 

I completely screwed this task up.  If I got this in the lab I would have failed for sure.


You’ll start seeing this message soon after your EIGRP adjacency comes up:

*Mar  5 08:49:19.600: IP-EIGRP(Default-IP-Routing-Table:10): Neighbor not on common subnet for Serial0/0

“…configure r6 so that it does not accept any EIGRP packets on the Frame Relay interface except for those sent from BB1.”

Oh fun.  :-(

You have to be careful when building your ACL so that you don’t break EIGRP. Don’t forget to add a permit at the end of your ACL:

ip access-list extended EIGRP_FILTER
 permit eigrp host any
 deny   eigrp any any
 permit ip any any <-IMPORTANT!!!

3.10 VPN Routing

I nearly crapped myself when I saw ‘VPN’.  It turns out that this is a rather easy GRE tunnel task.

“As an additional integrity check ensure that any corrupt packets received on the VPN interface are discarded.”

tunnel checksum 

The Rubric Theme Blog at


Get every new post delivered to your Inbox.

Join 109 other followers