Monday, October 1, 2007

Stress is Five Consecutive Dots

I feel crappy today. I just attempted to lab up the section which I had difficulty during my exam and guess what, the 5 bangs I've been trying to squeeze out of the router that day is streaming effortlessly now in front of me. I'm pretty sure that I'm recreating it now the same way as what I had in my exam. I remember thinking when I started reading the exam that it should be a straightforward task but after configuring my routers, it just wouldn't work. I must have been violently hitting on the keyboard trying to outdo the CCIE voice examinee beside me, who was banging the phones' handset furiously throughout the day.

Which draws me to my conclusion why I failed my first attempt, stress and self-induced pressure got the best of me.

But then again maybe there was some hidden issue that I completely missed. If that is true, then it points back to the original problem, I must have been so stressed out that I missed the problematic issue. So stress management is not something that you can ignore. I knew part of me was confident and ready that DAY, but part of me was really anxious and worried. I can't sleep the night before the exam. And I did the ultimate sin, I crammed the day before the exam! Well, it's not really cramming but I wen't over all my study notes and sample configurations. Old college habits just die hard.

Like many people who thinks life's manual guide can be found in the Internet, I turned to Lifehacker for help. There were many articles on relaxation techniques ie. breathing patterns, meditation, accupressure etc. instantstressmanagement.com looks helpful but I haven't really read through it. But rest assure learning at least one of the stress-management techniques is already in my CCIE preparation to-do list.


Also, I've remember reading somewhere that you should stop studying a few days before the exam. Maybe it's good idea to follow this advice. I should have listened to my wife when she was telling me to slow down and relax.

So on my next lab attempt, if ever I see those five consecutive dots again, I will break out into the lotus position, visualize my happy place and breathe out a long A000000000MMMMMMMMMM.

The pursuit of CCIE happiness

I just recently discovered about CCIE Pursuit Blog in one of my RSS feeds. This excellent blog is exactly what I am trying to accomplish with my blog. That is if only I can put in more time to update this blog.

Fellow CCIE candidates will surely relate to the author as he chronicles his thoughts and activities in preparation for THE DAY. He even posts the running cost of his CCIE expenses and gives a weekly status update of his study. Best of all, he takes time to share issues that he encounters in his labs.

Well, good luck to him and may his blog be short-lived, I mean, may his pursuit for CCIE be a short and easy one.

Friday, September 21, 2007

1st Attempt No Good

I've been very busy lately with projects at work and preparing for my CCIE lab. Well I'm back with sad news... I failed my first attempt at CCIE Lab Security.

It's very frustrating since I worked very hard for it and used up a significant amount of my savings. But I guess that's life, win some, lose some.

Here are lessons learnt. This are things I should have done:
1. Really understand the technology behind the configurations. You must know it enough that you won't be thrown off if you encounter an unfamiliar topology or troubleshooting an obscure issue.

2. Really understand the output of relevant show commands. Will really help in troubleshooting and verifying the requirements asked.

3. Do not rely on the lab workbooks. I can say that the workbook I bought was very helpful in brushing me up on the basics of the various security topics. But it is not enough! I don't think any vendors workbook will be enough as a single source to prepare for the CCIE. So my action plan to prepare for my second attempt is to make my own lab scenarios built on top of the labs in the workbook. I believe I would have had a better chance of passing the first time if I continued studying beyond what is in my workbook.

4. Learn to organize your thoughts during the exam. Draw lots of diagram on the papers provided. What I did was isolate each sections into separate diagram. Make sure you include the transit devices in your diagram. It will aid you in spotting issues before you attempt to configure the devices. Some people write down the L2 reachability and routing in tables but I didn't see the need for that (since I was taking the CCIE Security track).

5. Learn to relax during the exam. I haven't figured out how to do this yet. I can tell you I've never been under that much stress for a while since my university days. The first 4 hours before the lunch break was hell. I almost want to give up and jump out the window :) But I managed to loosen up a bit after the lunch break. I think I managed to figure out and answer more during the second half of my lab. So I guess stress management is important here.

All in all, it was good experience for me. As they say, you learn more from your mistakes. And besides, I had the perfect excuse to travel to Brussels and Amsterdam ;)

Thursday, April 19, 2007

Rejoice! Pixemu lives.

A smart guy using the handle mmm123 posted in the Dynamips forum how he created a pix emulator in his pc using QEMU. I tested it and works like a charm! Here's what you need to do.

1. Download QEMU. For dependency, you might need to download SDL as well.

2. Download the Pixemu binary. You need to register to the forum first.

3. Get a copy of the PixOS. I used Pix version 7.2.2(10).

4. I've read from the thread that in theory it is possible to run qemu in windows but it will be a pain to make it work. To make it run in Windows without the headache, I downloaded the fedora core 4 minimal install vmware image and run it using the free vmware player.

5. Copy qemu, pixemu and PixOS software (via tftp, ftp or scp) to your FC4 virtual machine. Of course you have to setup the virtual machines network settings.

6. Install (rpm -ivh) SDL and QEMU in the virtual machine.

7. Untar (tar -jvxf) the pixemu binary.

8. Create flash disk by running this command:
dd if=/dev/zero of=FLASH bs=1k count=16k

9. Unzip the Pix OS then copy the unzipped file in the same folder as pixemu.
unzip pix721.bin
mv target/f1/pix ./pixemu

10. You should be all set. Read the README, edit the pixemu.ini if you need to change the serial number and pix filename,etc. To run the pix emulator:
pixemu -net nic,vlan=1,macaddr=00:aa:00:00:02:01 -net tap,vlan=1,script=if1up -net nic,vlan=2,macaddr=00:aa:00:00:02:02 -net tap,vlan=2,script=if2up -serial stdio -m 128 FLASH -no-kqemu

You can find a sample setup here where pixemu is integrated with dynamips. Awesome!

Tuesday, April 10, 2007

NetPro Ask The Expert Yusuf Bhaiji on CCIE Security

Here's a very insightful thread from Cisco's NetPro Conections Forum. Yusuf Bhaiji, Program Manager for the Cisco CCIE Security certification and lab proctor, takes time to answer questions about the lab exam. The answers to most questions are mostly already available in the Lab Blueprint. But the Q&A helps to clarify some questions a CCIE candidate might have. Here are some of Yusuf's responses to questions which I believe is useful in knowing what to expect from the CCIE lab exam.

"As mentioned in the new blueprints, the new exam is heavily focused on Security technologies only, and routing functions are tested on Security appliances only. Advance Routing features such as filtering, summarization etc are no longer core objectives, and is tested mostly on written exam. "

"Yes, since VPN3000 concetrator is announced EOS, it is very likely to be removed from the CCIE lab exam. We are presently working on this and will make an announcement when a decision has been made. Meanwhile, it will continue to appear in the exam. "

"Yes, all routing & switching is pre-configured on all devices except the security appliances (i.e. PIX/ASA, VPN3k, IDS). Candidates are required to configure everything on security appliances."

"1) PIX/ASA will be running version 7.2.x (Q: Can you tell us what exact release is currently running on the exam for ASA, is it 7.2(1)? , or at least is it 7.2(X)?)
2) IPS version 5.1.x (Q:For IPS, is the lab running 5.1? )
3) NAC Framework can be tested on other devices such as the Switch or VPN3k etc (Q:Regarding NAC, on IOS it is not supported on 12.2(T) the current IOS, how will the lab test NAC then ?)
4) Both, promiscuios and inline. (Q:Do we still have to prepare for promiscuous mode IPS (or IDS) deployment or line and inline-vlan pair only? )"

"1) It depends on the requirements & restrictions, but in most cases, there is no penalty for over-configuration. (Q:Are we penalized for over-configuration on the CCIE Security Lab?)
2) Again, it depends on the question's requirements & restrictions. There is no golden rule that you can apply. (Q:can we configure more 'generic' ACLs ? I mean in the security LAB are ACLs supposed to be as specific as possible)
Pls read the questons carefully, and if unclear, pls ask the proctor for clarification. "

"The grading is entirely dependant on the proctor. Having said that, we also use 'automated tools' to expedite some of the repetitive tasks in grading and checking same stuff on all devices, but ultimately, it is the proctor who decides to judge if the answer is correct and/or reward the points. "

"Troubleshooting is most likely within the pre-configuration as security appliances (PIX/ASA, VPN3k, IDS) does not have any configuration except the basic (hostname, enable pwd, etc). "

"...all aspects of routing on security appliance can appear on the exam. But pls note, the emphasis is NOT routing, but these will appear merely to complete an exercise. "

"Troubleshooting is mainly focused on FUNCTIONALITY. For e.g. there will be a broken scenario (security context) e.g. IPsec LAN-to-LAN is pre-configured but NOT working. You will require to identify and fix the end-to-end thing and ensure it is working. The issue can be related to IPsec config or even non-IPsec config within... "

My Favorite:
"No Hints (from the proctor) :) The lab proctor is available to clarify the requirements only. He cannot offer you any hints. "

Read the rest of the conversation on this link.

Thursday, March 8, 2007

$499 Damage in my pocket for Preparation for my CCIE lab

After weighing the user feedbacks and product marketing, I've decided to get the IPExpert workbook to help prepare me for my CCIE Security Lab.

I ordered the workbook last Thursday and it arrived Monday. Not bad considering it came all the way from Tennessee and I'm here in Asia. Upon opening the FedEx package,I see this Spiral-binded book and I was like, " Is this all the US$499 (excluding shipping) I paid for???". Even the printing quality and paper used is not impressive. It has 220 pages, comprising of 11 technology-focused exercises and 7 Multiprotocol Lab Challenges. The book doesn't include the solutions. The final configs have to be downloaded from the website along with the initial configurations.

As far as content is concerned though, I still have to go through the exercises and challenge lab before I can comment. What made me considered buying this is because it was written by Multiple CCIEs Scott Morris and Marvin Greenlee. So my hope is high. It is also reassuring that there is a CCIE Security WB support forum in CertificationTalk.com so that I can post questions if I need help.

And besides, the real indicator that will determine if my investment is worth it is after I take the Lab exam itself. I didn't mean that if I fail the lab ( WHICH I WON'T !!!), I would blame it on the workbook. After seeing the CCIE lab scenario, then I can judge if the challenges in the workbook adequately prepared me for the level of complexity of the real thing.

Now that I got the workbook, I will now be shopping for rack rentals.

Wednesday, February 28, 2007

Router: Debug Crypto Condition command

When your router has more than one vpn peer configured, troubleshooting one of the problematic crypto peer using debug crypto isakmp and debug crypto ipsec can get you crosseyed in no time. You'll feel like the console is doing a DOS on your brain.

In Cisco IOS Software Release 12.3(2)T, you can use the debug crypto condition command to filter debug output to a specific peer. You can use many criteria to customize the output, including peer IP, SPI, connid, flowid, etc. This filter causes the router to show only the crypto messages for the peer you are troubleshooting.

For example, first define a condition with a peer IP before enabling debug crypto:
debug crypto condition peer ipv4 2.2.2.2
debug crypto isakmp
debug crypto isakmp packet <---helpful hidden command debug crypto ipsec

To identify which debug conditions are active:
sh crypto debug-condition