Initial Draft

After 3 months at TCAM-INTERRUPT, I have decided to combine forces with my good friends; Daniel Rodriguez and Jose Miguel Huertas (CCIE #27028) to create Initial Draft on a more flexible blogging platform and post content on a regular basis, focused but not limited to our preparation for the CCIE R&S lab (I'm known for going off-topic).

The interesting content of this blog was migrated and Daniel and Jomi posted a couple of interesting articles for the unveiling of the site, and hopefully we will have new content every week.

So, please update your bookmarks to Initial Draft, drop us a line on the comment section or follow us on twitter.

CCIE R&S v4.0 Lab Exam Demo Video

On forums I find a lot of people asking about the interface used for the CCIE R&S Lab exam. Around 6 months ago, Cisco released a video with a tour of the interface, the narrator is not the most exciting in the land but you get the general idea and feel of the lab:

CCIE R&S v4.0 Lab Exam Demo

"This demo will familiarize candidates with the online interface that has replaced paper exams, which presents the virtual topology, test questions, documentation and tools. Strongly recommended for all candidates"

Cisco IOS menu autocommand with AAA/Cisco ACS

A customer has a router dedicated to a site-to-site IPSec VPN , the users of that VPN  are a small group that are not directly responsible for the router. They want a way to check the status of the WAN connection, the IPSec tunnel and also to force a clear crypto sa.

This could be solved with a looking glass but that would require a web server. An alternative solution could be a special user with a menu auto command:

menu VPN title @ VPN VERIFICATION / RESET MENU @

menu VPN text 1 ping Internet (OpenDNS)

menu VPN command 1 ping 208.67.222.222

menu VPN text 2 ping VPN (192.168.0.1)

menu VPN command 2 ping 192.168.0.1 source gi0/1/0

menu VPN text 3 sh crypto isakmp sa

menu VPN command 3 sh crypto isakmp sa

menu VPN text 4 sh crypto ipsec sa

menu VPN command 4 sh crypto ipsec sa

menu VPN text 5 Reset VPN  (clear crypto ipsec sa)

menu VPN command 5 clear crypto sa

menu VPN text 6 Exit

menu VPN command 6 exit

menu VPN clear-screen

menu VPN status-line

menu VPN line-mode

menu VPN single-space

My environment uses AAA with a Cisco ACS, so the special user has to be created in the Internal ACS database, restricted to only that router (Per User Defined Network Access Restrictions), allowing shell (exec) access and the auto command menu VPN (TACACS+ Settings)

The router has to refer to the authorization for exec to the ACS:

aaa authorization exec default group tacacs+ local

Of course, if you don’t use ACS and only use AAA with the local database, Ivan @ Cisco IOS Hints has a great example.

Testing:

Server "VPN-Router"    Line 6    Terminal-type xterm

              VPN VERIFICATION / RESET MENU

    1          ping Internet (OpenDNS)

    2          ping VPN (192.168.0.1)

    3          sh crypto isakmp sa

    4          sh crypto ipsec sa

    5          Reset VPN (clear crypto ipsec sa)

    6          Exit

Selection: 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 208.67.222.222, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 84/95/140 ms

More info:

Cisco access control security: AAA administrative services (Brandon Carroll)

DocCD Managing Connections, Menus, and System Banners

INE CCIE R/S 4.X Expanded Study Blueprint with links

After my bootcamp with Anthony Sequeira, I decided to guide my studies using the INE CCIE R/S 4.X Expanded Study Blueprint, the original doesn't have links for all the topics, so here it is with links for almost everything. Any feedback is appreciated, specially for the few areas where I couldn't find any relevant information.

There is also a PDF version for download.

1.00    Implement Layer 2 Technologies

1.10    Implement Spanning Tree Protocol (STP)

 (a) 802.1d

 (b) 802.1w

 (c) 802.1s

 (d) Loop guard

 (e) Root guard

 (f) Bridge protocol data unit (BPDU) guard

 (g) Storm control

 (h) Unicast flooding

 (i) Port roles, failure propagation, and loop guard operation

 (j) STP manipulation through timers

 (k) PortFast, UplinkFast, BackboneFast

 (l) BPDUFilter

 (m) Root Bridge Placement

 (n) STP Port Cost and Port Priority

 (o) UDLD

1.20    Implement VLAN, Network Management and VLAN Trunking Protocol (VTP)

 (a) No VTP (TRANS)

 (b) Pruning

 (c) Bridging – Transparent, IRB, CRB

 (d) VTP Authentication

 (e) VTP Versions

 (f) Regular Macros

 (g) Smart Macros

 (h) SNMP

 (i) Telnet and Telnet Controls

 (j) SSH

 (k) Banners

 (l) Switch Virtual Interfaces (SVIs)

 (m) 3560s and VoIP Phone Support

1.30    Implement trunk and trunk protocols, EtherChannel, and load-balance

 (a) Static Config (No DTP)

 (b) Allowed VLAN

 (c) Router on a Stick

 (d) Native VLAN

 (e) ISL

 (f) 802.1Q

 (g) Manual EtherChannel

 (h) PaGP

 (i) LACP

 (j) Load Balancing Manipulation in EtherChannel

 (k) QinQ Tunneling

1.40    Implement Ethernet technologies

 (a) Speed and duplex

 (b) Ethernet, Fast Ethernet, and Gigabit Ethernet

 (c) PPP over Ethernet   (PPPoE)

1.50    Implement Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and flow control

 (a) SPAN and RSPAN

 (b) Flow Control (DOC-CD) (Blog)

1.60   Implement Frame Relay

 (a) Local Management Interface (LMI)

 (b) Traffic shaping

 (c) Topologies

 (e) Discard eligible (DE)

 (f) Static versus Dynamic L2 to L3 Resolution

 (g) Frame-Relay Interface-DLCI

 (h) Broadcast Queue

 (i) Frame End to End Keepalives

 (j) Load Interval

 (k) PING Local Interface

 (l) Multilink Frame Relay

 (m) PPP over Frame-Relay

 (n) Dynamic Mappings to 0.0.0.0

 (o) Troubleshooting Hub and Spoke

 (p) Frame Relay Switch Configuration

 (q) Subinterfaces

1.70    Implement High-Level Data Link Control (HDLC) and PPP

 (a) Clock Rate

 (b) CHAP

 (c) PAP

 (d) Peer Neighbor Route

 (e) Link Quality Monitoring

 (f) PPP Reliable Transmission

 (g) PPP Half Bridging

 (h) MLP

 (i) PPP Encryption MPPE

 

2.00    Implement IPv4

2.10    Implement IP version   4 (IPv4) addressing, subnetting, and variable-length subnet masking (VLSM) [2] [3]

 (a) Calculating the Optimum Summary Address

 (b) Binary Math Manipulation

 (1) Matching multiple networks with a single access list line

 (2) Matching odd or even subnets with a single access list line

(c) IP Unnumbered

(d) /31 Mask

2.20    Implement IPv4   tunneling and Generic Routing Encapsulation (GRE) [2]

  (a) Recursive Routing Issue

  (b) GRE Tunnel Keepalives

2.30    Implement IPv4 RIP version 2 (RIPv2)

 (a) Authentication

 (b) Offset List

 (c) Distribute List

            (1) Gateway Option

 (d) Timer Manipulation

 (e) Disabling Validation of Source IP Addresses

 (f) Split Horizon and Secondary IP Addresses

 (g) Summarization

 (h) Default Information Originate

 (i) Unicast Routing Updates

 (j) Passive Interface

 (k) Triggered Updates on WAN link

2.40    Implement IPv4 Open Shortest Path First (OSPF)

 (a) Standard OSPF areas

 (b) Stub area

 (c) Totally stubby area

 (d)  Not-so-stubby-area (NSSA)

 (e) Totally NSSA

 (f) Link-state advertisement (LSA) types

 (g) Adjacency on a point-to-point and on a multi-access network

 (1) OSPF Network Types

 (h) OSPF graceful restart

 (i) Demand Circuit

 (j) Authentication – methods of configuration and authentication types

 (k) Summarization

 (l) Area Transit Capabilities

 (m) Inbound Route Filtering

 (n) Auto Cost Reference Bandwidth

 (o) Unicasting Hello Packets

 (p) Cost Manipulation [2]

 (1) ip ospf cost

 (2) Bandwidth Manipulation

 (3) SPF Throttling

 (4) Incremental SPF

 (5) LSA Throttling

 (6) OSPF Link-State Database Overload Protection (was LSA Overhead Protection)

 (q) Loopback Advertising (Natural Mask)

 (1) Network Type (P2P)

 (2) Area Range

 (3) Redistribution

 (r) Timer Manipulation

 (s) OSPF ABR Type 3 LSA Filtering

 (t) Forwarding Address Suppression in Translated Type-5 LSAs

 (u) Router ID

2.50    Implement IPv4 Enhanced Interior Gateway Routing Protocol (EIGRP)

 (a) Best path

 (b) Loop-free paths

 (c) EIGRP operations when alternate loop-free paths are available, and when they are not available

 (d) EIGRP queries

 (e) Manual summarization and autosummarization

 (f) EIGRP stubs

 (g) Authentication

 (h) Composite Metric Manipulation

 (i) Applying Offsets to Metrics

 (j) Adjusting Timers

 (k) Unicasting updates

 (l) Use of the 0.0.0.0 in the network command

 (m) Manipulate the Bandwidth used by EIGRP

 (n) Distribute lists

 (o) Route Map Support

 (p) SNMP Support

 (q) EIGRP Prefix Limit

 (r) Passive Interface

 (s) NSF Awareness

 (t) Router ID

2.60    Implement IPv4 Border Gateway Protocol (BGP)

 (a) iBGP

 (1) Synchronization

 (2) Confederation

 (3) Route-Reflection

 (4) Non-BGP Speaker in Transit Path [2]

(a) Tunnel

(b) Redistribute

(c) Static route

(d) Default route

(e) Policy route

(5) Peer Groups

 (b) eBGP

 (1) Multihop

 (2) Next Hop Issues

 (c) Filtering, redistribution, summarization, attributes and other advanced features

 (1) Authentication

 (2) Router ID [2]

 (3) Prefix Advertisement

 (4) Automatic Summarization

 (5) Manual Summarization including suppression techniques

 (6) Maximum Prefix Limit

 (7) Load Balancing

 (8) Path Manipulation

                        (a) Local Pref

                        (b) MED

                        (c) AS PATH

                        (d) Weight

            (9) BGP Communities

            (10) Regex Engine Performance Enhancement

            (11) Hide Local AS

            (12) Conditional Route Advertisement

            (13) Remove Private AS

            (14) AS PATH Filtering

            (15) BGP Policy Accounting

            (16) NSF Awareness

            (17) Support for TTL Security Check

(18) Support for Fast Peering Session Deactivation

            (19) Support for Next-Hop Address Tracking

            (20) Outbound Route Filtering

2.70    Implement policy routing

 (a) PBR Support for Multiple Tracking Options

 (b) PBR Recursive Next Hop

2.80    Implement Performance Routing (PfR) and Cisco Optimized Edge Routing (OER)

  (a) Profile Phase

 (b) Measure Phase

 (c) Apply Policy Phase

 (d) Control Phase

 (e) Verify Phase

2.90    Implement filtering, route redistribution, summarization, attributes, and other advanced features

 (a) Administrative Distance Manipulation

 (b) Redistribution

            (1) Default Seed Metric

            (2) Setting parameters with a Route Map

2.95 On Demand Routing (ODR)

3.00    Implement IPv6

3.10    Implement IP version 6 (IPv6) addressing and different addressing types

 (a) Global Unicast

 (b) Link Local

 (c) Multicast

 (d) Anycast

 (e) Site Local

 (f) Unique Local Address

3.20    Implement IPv6 neighbor discovery

 (a) Router Discovery

 (b) Prefix Discovery

 (c) Parameter Discovery

 (d) Address Autoconfiguration

3.30    Implement basic IPv6 functionality protocols

 (a) ICMP version 6

3.40    Implement tunneling and transition techniques

 (a) Manual

 (b) GRE/IPV4

 (c) 6to4

 (d) ISATAP

 (e) NAT-PT

3.50    Implement OSPF version 3 (OSPFv3)

 (a) Special Area Types [2]

 (b) Summarization

3.60    Implement EIGRP version 6 (EIGRPv6)

 (a) Summarization

3.70    Implement filtering and route redistribution

3.80    Implement RIPng

 

4.00    Implement MPLS Layer 3 VPNs

4.10    Implement Multiprotocol Label Switching (MPLS)

 (a) MPLS LDP

 (b) MPLS Label Filtering

4.20    Implement Layer 3 virtual private networks (VPNs) on provider edge (PE), provider (P), and customer edge (CE) routers

 (a) PE-CE Routing with RIP

 (b) PE-CE Routing with EIGRP

 (c) PE-CE Routing with OSPF

 (d) PE-CE Routing with BGP

 (e) OSPF Sham Link

 (f) EIGRP SOO and Cost Community

 (g) BGP SOO

 (h) BGP AS Override

 (i) Internet Access

4.30    Implement virtual routing and forwarding (VRF) and Multi-VRF Customer Edge (VRF-Lite)

 (a) VRF-Lite

 (b) MP-BGP VPNv4

 (c) MP-BGP Prefix Filtering

 

5.00    Implement IP Multicast

5.10    Implement Protocol Independent Multicast (PIM) sparse mode

 (a) Source-based Trees

 (b) Shared Trees

 (c) Bidirectional PIM

5.20    Implement Multicast Source Discovery Protocol (MSDP)

 (a) Authentication

 (b) SA Message Limiting

 (c) Timer Adjustments [2]

 (d) MSDP Compliance with IETF RFC 3618

 (e) Filtering and TTL Thresholds

 (f) Monitoring MSDP with SNMP

5.30    Implement interdomain multicast routing

5.40    Implement PIM Auto-Rendezvous Point (Auto-RP), unicast rendezvous point (RP), and bootstrap router (BSR)

  (a) Auto-RP

 (1) ip pim autorp listener

 (2) Static mapping of Auto-RP groups:

ip pim rp-address 192.168.0.1 55

access-list 55 permit 224.0.1.39

access-list 55 permit 224.0.1.40

(3) PIM Sparse-Dense Mode

(4) IP Multicast Boundary

 (b) Static RP Assignment

 (c) BSR

 (1) BSR Border Interface

5.50    Implement multicast tools, features, and source-specific multicast

 (a) RPF

 (b) RPF Check

 (c) SSM

 (d) Multicast Helper

 (e) Multicast Rate Limiting

 (f) Stub IP Multicast Routing

 (g) sdr Listener Support

 (h) Load Splitting Multicast Traffic

 (i) Multicast Routing Monitor

 (j) Multicast Heartbeat

 (k) Anycast

5.60    Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery (MLD)

 (a) IPv6 Multicast Addressing

 (b) MLD

 

6.00    Implement Network Security

6.01    Implement access lists

 (a) Time-based Access Lists

 (b) Log

 (c) Log-input

 (d) Block RFC 1918

 (e) RFC 3330 Filtering

 (f) VLAN Access Maps (VACLs)

 (g) MAC Access Lists

6.02    Implement Zone Based Firewall

 (a) Basic Configuration

 (b) Parameter Maps

6.03    Implement Unicast Reverse Path Forwarding (uRPF)

 (a) Access Lists with uRPF

6.04    Implement IP Source Guard

6.05    Implement AAA

 (a) Client Side in IOS

6.06    Implement Control Plane Policing (CoPP)

6.07    Implement Cisco IOS Firewall

6.08    Implement Cisco IOS Intrusion Prevention System (IPS)

 (a) Basic Configuration

6.09    Implement Secure Shell (SSH)
6.10    Implement 802.1x

(a) Reauthentication

 (b) Quiet Period

 (c) Host Mode

 (d) Guest VLAN

 (e) Accounting

6.11    Implement NAT

6.12    Implement routing protocol authentication

6.13    Implement device access control

  (a) Privilege Levels

  (b) Command Line Views

6.14    Implement security features

 (a) Private VLANs

 (b) IOS Resilient Configuration

 (c) Image Verification

 (d) IP Source Tracker

 (e) IP Traffic Export

 (f) Dynamic ARP Inspection

 (g) NO SERVICE PASSWORD-RECOVERY

 (h) Switchport Traffic Controls

 (1) Storm Control

 (2) Protected Ports

 (3) Port Blocking

 (4) Port Security

7.00    Implement Network Services

7.10    Implement Hot Standby Router Protocol (HSRP)

7.20    Implement Gateway Load Balancing Protocol (GLBP)

7.30    Implement Virtual Router Redundancy Protocol (VRRP)

7.40    Implement Network Time Protocol (NTP)

7.50    Implement DHCP

7.60    Implement Web Cache Communication Protocol (WCCP)

 

8.00    Implement Quality of Service (QoS)

8.10    Implement Modular QoS CLI (MQC)

 (a) Network-Based Application Recognition (NBAR)

 (b) Class-based weighted fair queuing (CBWFQ)

 (c) modified deficit round robin (MDRR)

 (d) low latency queuing (LLQ)

 (e) Classification

 (f) Policing

 (g) Shaping

 (h) Marking

            (1) CoS

            (2) DE

            (3) Experimental Bits [2]

            (4) IP Precedence

            (5) DSCP

 (i) Weighted random early detection (WRED)

 (j) Compression

            (1) RTP Header Compression

            (2) TCP Header Compression

            (3) Class-Based Header Compression Methods

 (k) Legacy QoS

(1) CQ

(2) PQ

            (3) FRTS

            (4) CAR

8.20    Implement Layer 2 QoS

 (a) weighted round robin (WRR)

 (b) shaped round robin (SRR)

 (c) policies

8.30    Implement link fragmentation and interleaving (LFI) for Frame Relay

8.40    Implement generic traffic shaping

8.50    Implement Resource Reservation Protocol (RSVP)

8.60    Implement Cisco AutoQoS

 (a) Requirements

 (b) VoIP

 (c) AutoQoS for Enterprise

 

9.00    Troubleshoot a Network

9.10    Troubleshoot complex Layer 2 network issues

9.20    Troubleshoot complex Layer 3 network issues

9.30    Troubleshoot a network in response to application problems

9.40    Troubleshoot network services

9.50    Troubleshoot network security

 

10.00    Optimize the Network

10.01    Implement syslog and local logging

10.02    Implement IP Service Level Agreement SLA

10.03    Implement NetFlow
10.04    Implement SPAN, RSPAN, and router IP traffic export (RITE)

 (a) SPAN

 (b) RSPAN

 (c) Router IP Traffic Export

            (1) Configure IP Traffic Export

            (2) Configure IP Traffic Capture

            (3) Filter with ACLs

            (4) Filter with Sampling

            (5) Capture Bidirectional Traffic

10.05    Implement Simple Network Management Protocol (SNMP)

 (a) Version 2

 (b) Version 3

10.06    Implement Cisco IOS Embedded Event Manager (EEM)
10.07    Implement Remote Monitoring (RMON)

10.08    Implement FTP

10.09    Implement TFTP

10.10    Implement TFTP server on router

10.11    Implement Secure Copy Protocol (SCP)

10.12    Implement HTTP and HTTPS

10.13    Implement Telnet

 (a) Access-Class

 (b) Session Limits

 (c) Busy, Vacant, Refuse, and Custom Messaging

 (d) Onscreen Message Suppression

 (e) Hiding Telnet Addresses

 (f) Login Enhancements

 

11.00    Extra

10.01    DNS

11.02    SDM

11.03    TCP