I minified myself!

As a little present to myself for passing the lab, I decided to get a personalized Lego man created. I have always loved Lego, its going to be unique, and it's a damn sight cheaper than the personalized number plate I want to buy!

So here he is (or I am, depending on which way you look at it):

Forgive the slightly dodgy photoshop skills to get rid of the background, but I think it's pretty neat.

I got it from minifigs.me, and I think they did a wonderful job. The CCIE logo is very clear, as it the printing on the body.
Here it is again, minus the photoshopping:

I already had the laptop and the cup.

It took a couple of weeks from ordering to delivery, and cost about £20.

You can get your own created at minifigs.me.

CCIE Security study plan

It's always a good idea to have a structured study plan. I did this with my Routing and Switching CCIE, managing to stick to it (roughly). So it makes sense to do one for this as well.

My plan in it's most general sense is to:

Build up a fully working lab, bit by bit.
Use the INE videos to build up this knowledge as I go.
Read the books for the various sections.

The lab will be based around UNL, and the topology will be based around the same one used by INE. So that when I come to do their full labs, it will all be set up and all the kinks will be worked out. The topology is in my first post about the CCIE Security, but I will re-post it here to make life easier:

Sounds very broad, doesn't it. So let's break it down to a proper study plan, starting with the things that are new to me. Where I mention ATC, this is the INE Advanced Technology Class (http://streaming.ine.com/c/ccie-security-advanced-technologies-class)

1: Set up TestPC-B, Switch 2 and Switch 6. This will give me access to WSA1
2: WSA :-

• Watch: INE video course http://streaming.ine.com/c/ccie-sc-wsa-primer. Applicable videos from the ATC.
• Read: http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-1/user_guide/Cisco_IronPort_AsyncOS_7-1-0_User_Guide_for_Web_Security_Appliances.pdf
• Do: Set up WSA in UNetLab.
• Covering: Section 3: Intrusion Detection and Content Security (second half)

3: Set up Switch 1 & Switch 3, giving access to ISE1 and ISE2 (Not pictured - need to complete topology)
4: ISE :-

• Watch: INE video course http://streaming.ine.com/c/ccie-sc-ise--primer, and videos from ATC.
• Read: Cisco ISE for BYOD and Secure Unified Access: BYOD Network Security with ISE
• Do: Set up ISE(s) in UNetLab/ESXi - I don't think they will run natively in UNL.
• Covering: Section 4: Identity Management

5: Set up Switch 2 and Switch 4 - giving access to ACS1 and ACS2.
6: ACS :-

• Watch: INE ATC videos
• Read: Cisco Access Control Security: AAA Administration Services
• Do: Setup ACS
• Covering: Section 4: Identity Management

7: Set up ASAs - Now the fun really starts! I should be in a good position now to start opening up the network. We are ready to authenticate through ACS/ISE and WSA, and are working from an inside-out fashion, rather than outside-in.

• Watch: INE ATC
• Read: Cisco ASA: All-in-one Next-generation Firewall, IPS, and VPN Services
• Do: Set up ASAs, for VLANs, failover/HA, transparent mode, routed mode and anything else I can think of.
• Covering: Section 5: Perimeter Security and Services 

8: VPNs

• Watch: INE ATC
• Read: VPN books - refer to CCIE security topics and reading list.
• Do: Majority of Section 6.
• Covering: Section 6: Confidentiality and Secure Access

9: IPS

• Watch: INE ATC
• Read: Cisco ASA: All-in-one Next-generation Firewall, IPS, and VPN Services
• Do: Set up IPS
• Covering: Section 3: Intrusion Detection and Content Security (first half)

10: Hardening and availability

• Watch: INE ATC
• Read: Designing Network Security
• Do: Set up hardened services on routers
• Covering: Section 1: System Hardening and Availability

11: Wireless stuff

• Watch: INE ATC
• Read: Cisco Wireless LAN Security
• Do: Set up Wireless components - vWLC, an AP, a wi-fi client
• Covering: Section 6: Confidentiality and Secure Access

12: Miscellaneous other stuff - need to cover section 2: Threat Identification and Mitigation

• Watch: Not sure yet.
• Read: Implementing Cisco IOS Network Security
• Do: General protection
• Covering: Section 2: Threat Identification and Mitigation

13: IPv4 and IPv6 routing protocol security. Although it's not stated, explicitly, section 1.1 does refer to IGP authentication, so with the aid of part 8 (VPNs), we can add on some IGPs and EGPs.

• Do: Implement IGPs and set up authentication.

By this stage I should have gone back and forward, as the network expands, adding and building on to WSA, ISE and ACS knowledge. As I go through the topology I will be changing it, and then when complete, it will be published, definitely here, probably on the UNL site as well. Then we get to the final stages.

14: Do written exam
15: Practice - do INE Security workbooks and full scale labs.
16: Lab - take the lab exam.
17: Profit? Re-take lab exam? Who knows!

I am not attaching any timelines to this at the moment though. I'll start doing that closer to the end.

What do you reckon? A workable plan? Missing anything?

CCIE Security Topics and Reading list

I have started to get my reading list ready. I definitely need to get some more shelving in the house.

I think it might be easier to break each section down, and find the appropriate books and documents. That way I can work on the essential books first.

There are six major sections in the CCIE Security exam. You can download the complete list of topics from here. The reading lists I will be using are from Cisco, and from INE.

Section 1.0 System Hardening and Availability:

• 1.1 Routing plane security features (for example, protocol authentication and route filtering)
• 1.2 Control Plane Policing
• 1.3 Control plane protection and management plane protection
• 1.4 Broadcast control and switch port security
• 1.5 Additional CPU protection mechanisms (for example, options drop and logging interval)
• 1.6 Disable unnecessary services
• 1.7 Control device access (for example, Telnet, HTTP, SSH, and privilege levels)
• 1.8 Device services (for example, SNMP, syslog, and NTP)
• 1.9 Transit traffic control and congestion management

Fairly general protection. There are a couple of books that will work here. Implementing Cisco IOS Network Security, and Designing Network Security (Second Edition). The first book is part of the CCNA series, so the second book might be a better option.

Essential purchase: Designing Network Security.

Section 2.0 Threat Identification and Mitigation:

• 2.1 Identify and protect against fragmentation attacks
• 2.2 Identify and protect against malicious IP option usage
• 2.3 Identify and protect against network reconnaissance attacks
• 2.4 Identify and protect against IP spoofing attacks
• 2.5 Identify and protect against MAC spoofing attacks
• 2.6 Identify and protect against ARP spoofing attacks
• 2.7 Identify and protect against DoS attacks
• 2.8 Identify and protect against DDoS attacks
• 2.9 Identify and protect against man-in-the-middle attacks
• 2.10 Identify and protect against port redirection attacks
• 2.11 Identify and protect against DHCP attacks
• 2.12 Identify and protect against DNS attacks
• 2.13 Identify and protect against MAC flooding attacks
• 2.14 Identify and protect against VLAN hopping attacks
• 2.15 Identify and protect against various Layer 2 and Layer 3 attacks
• 2.16 NBAR
• 2.17 NetFlow
• 2.18 Capture and utilize packet captures

Network Security Principles and Practices has good coverage of NBAR, most of these are fairly easy to mitigate, just need a decent explanation for those tricky written exam questions. This is where the CCNA study material will come in useful.

Essential purchase: Implementing Cisco IOS Network Security

Section 3.0 Intrusion Prevention and Content Security

• 3.1 Cisco IPS 4200 Series Sensor appliance and Cisco ASA appliance IPS module
• 3.1.a Initialize the sensor appliance
• 3.1.b Sensor appliance management
• 3.1.c Virtual sensors on the sensor appliance
• 3.1.d Implement security policies
• 3.1.e Promiscuous and inline monitoring on the sensor appliance
• 3.1.f Tune signatures on the sensor appliance
• 3.1.g Custom signatures on the sensor appliance
• 3.1.h Actions on the sensor appliance
• 3.1.i Signature engines on the sensor appliance
• 3.1.j Use Cisco IDM and Cisco IME to manage the sensor appliance
• 3.1.k Event action overrides and filters on the sensor appliance
• 3.1.l Event monitoring on the sensor appliance
• 3.2 VACL, SPAN and RSPAN on Cisco switches
• 3.3 Cisco WSA
• 3.3.a Implement WCCP
• 3.3.b Active Directory integration
• 3.3.c Custom categories
• 3.3.d HTTPS configuration
• 3.3.e Services configuration (web reputation)
• 3.3.f Configure proxy bypass lists
• 3.3.g Web proxy modes
• 3.3.h Application visibility and control

Luckily I have done a fair bit of work on IPS modules, nevertheless, I'll need something to fill in my weak areas. The ASA book; Cisco ASA: All-in-one Next-generation Firewall, IPS, and VPN Services, will be good here.

In terms of the WSA there is a good document from Cisco.

Essential purchase: Cisco ASA: All-in-one Next-generation Firewall, IPS, and VPN Services
Essential download: http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-1/user_guide/Cisco_IronPort_AsyncOS_7-1-0_User_Guide_for_Web_Security_Appliances.pdf

Section 4.0 Identity Management

• 4.1 Identity-based AAA
• 4.1.a Cisco router and appliance AAA
• 4.1.b RADIUS
• 4.1.c TACACS+
• 4.2 Device administration (Cisco IOS routers, Cisco ASA, and Cisco ACS5.x)
• 4.3 Network access (TrustSec model)
• 4.3.a Authorization results for network access (ISE)
• 4.3.b IEEE 802.1X (Cisco ISE)
• 4.3.c VSAs (Cisco ASA, Cisco IOS, and Cisco ISE)
• 4.3.d Proxy authentication (Cisco ISE, Cisco ASA, and Cisco IOS)
• 4.4 Cisco ISE
• 4.4.a Profiling configuration (probes)
• 4.4.b Guest services
• 4.4.c Posture assessment
• 4.4.d Client provisioning (CPP)
• 4.4.e Configure Microsoft Active Directory integration and identity sources

Clearly the winner here will be Cisco ISE for BYOD and Secure Unified Access: BYOD Network Security with ISE. The clue is in the title, the other one will be Cisco Access Control Security: AAA Administration Services. Two obvious choices.

Essential purchase: Cisco ISE for BYOD and Secure Unified Access: BYOD Network Security with ISE
Essential purchase: Cisco Access Control Security: AAA Administration Services

Section 5.0 Perimeter Security and Services

• 5.1 Cisco ASA firewalls
• 5.1.a Basic firewall Initialization
• 5.1.b Device management
• 5.1.c Address translation
• 5.1.d ACLs
• 5.1.e IP routing and route tracking
• 5.1.f Object groups
• 5.1.g VLANs
• 5.1.h Configure EtherChannel
• 5.1.i High availability and redundancy
• 5.1.j Layer 2 transparent firewall
• 5.1.k Security contexts (virtual firewall)
• 5.1.l Cisco Modular Policy Framework
• 5.1.j Identity firewall services
• 5.1.k Configure Cisco ASA with ASDM
• 5.1.l Context-aware services
• 5.1.m IPS capabilities
• 5.1.n QoS capabilities
• 5.2 Cisco IOS zone-based firewall
• 5.2.a Network, secure group, and user-based policy
• 5.2.b Performance tuning
• 5.2.c Network, protocol, and application inspection
• 5.3 Perimeter security services
• 5.3.a Cisco IOS QoS and packet-marking techniques
• 5.3.b Traffic filtering using access lists
• 5.3.c Cisco IOS NAT
• 5.3.d uRPF
• 5.3.e Port to Application Mapping (PAM)
• 5.3.f Policy routing and route maps

The ASA part is obvious, and already recommended in section 3. For the zone-based firewall? Not sure what the best book is. It's kind of an old technology now, so i'll be using the Cisco white paper referenced below.

Essential download: http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

Section 6.0 Confidentiality and Secure Access

• 6.1 IKE (v1/v2)
• 6.2 IPsec LAN-to-LAN (Cisco IOS and Cisco ASA)
• 6.3 DMVPN
• 6.4 FlexVPN
• 6.5 GET VPN
• 6.6 Remote-access VPN
• 6.6.a Cisco EasyVPN Server (Cisco IOS and Cisco ASA)
• 6.6.b VPN Client 5.X
• 6.6.c Clientless WebVPN
• 6.6.d Cisco AnyConnect VPN
• 6.6.e Cisco EasyVPN Remote
• 6.6.f SSL VPN gateway
• 6.7 VPN high availability
• 6.8 QoS for VPN
• 6.9 VRF-aware VPN
• 6.10 MACsec
• 6.11 Digital certificates (enrollment and policy matching)
• 6.12 Wireless access
• 6.12.a EAP methods
• 6.12.b WPA and WPA2
• 6.12.c wIPS

Easy VPN is covered pretty well in Advanced IPSec VPN Design. The Complete Cisco VPN Configuration Guide covers a lot of the rest, however both seem to be a little light for FlexVPN and GET VPN. My own book, VPNs and NAT for Cisco Networks covers DMVPN pretty well. MACsec is covered well in this document. I do need to find a decent Wireless book to cover 6.12. Cisco Wireless LAN Security seems like the obvious choice.

Essential purchase: The Complete Cisco VPN Configuration Guide
Essential purchase: Advanced IPSec VPN Design
Essential purchase: Cisco Wireless LAN Security

There are some notable exception. The Cisco guidelines for the CCIE Security v4 exam make no mention of IPv6. I am sure this will probably appear somewhere. The v4 is only a couple of years old so there must be some IPv6 in it somewhere. The book IPv6 Security seems like an obvious choice

So now we have a workable book list. It is fairly short, but here it is, the ones with a red star are the ones I have already purchased. The links will take you to the appropriate Amazon page, in case you are joining me on this trip!

Designing Network Security (2nd Edition)
Implementing Cisco IOS Network Security
*Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services (3rd Edition)
*Cisco ISE for BYOD and Secure Unified Access
*Cisco Access Control Security: AAA Administration Services (Networking Technology)
*The Complete Cisco VPN Configuration Guide
*Advanced IPSec VPN Design
Cisco Wireless LAN Security

IPv6 Security

Not too bad! It will also be nice to add a little color to the bookshelves and get some orange in there.

If you can think of any essential books I should add then please comment below. 

Holiday time, kick back, relax, redesign the website

I am currently on holiday in Spain.

It's the annual extended family holiday. It's me, my wife, our kids, her brother, his wife and their two girls, and my wife's sister (her boyfriend was here, but he had to go back home due to a family emergency). It's a big villa in Malaga, over looking the ocean. It's very nice, and exactly the rest needed after the CCIE exam.

I am English, so remember that we are afflicted with one major issue;

We/I don't cope well in the heat.

I love the cold. Throw me on a mountain in a t-shirt and strap a snowboard to me and I am happy. I'll hug you like a brother, buy you a beer, and you'll be my favourite person.

Put me in Spain in July and I will sweat 24-7, I'll drink all the water in the tap, all of the orange juice and all of daddy's beer (and if you can name the kids book this is paraphrased from then you win 10 points). It's hot.

We arrived at the villa to find that our room, which backs out on to the pool, had just a sheet to cover the bed. The first night it was a bit of a fight and my wife won the sheet. The second night I thought I would be gentlemanly, and offer her the sheet before we even got to bed. I was not, of course, accounting for her wanting to keep the air-con on all night long. So she's got the sheet for when she gets cold, and the air-con on because she's hot. Whilst I shiver from the waist down.

Anyway, I found a towel, and my legs were OK. Turns out that the severe sunburn I got during the day was keeping my top half warm anyway.

The sunburn has meant that I have not been able to pick my boys up, and have shunned any form of top-half physical contact. Read into that what you will. They don't make a factor strong enough for me. Apart from a complete lead casing, which tends to have negative effects in the swimming pool.

Nevertheless, I have watched my children (currently three and a half years old) blossom into water babies - seriously, they love the pool, and I love watching them jump into the pool.

The down-time has allowed me to do some reading, and some time to redesign the website.
It's still in progress, so there are still a few tweaks and changes here and there to be made. I have some pages to add still, for the labs and for the book series, each will have its own page.

I think the new design is better, there will be less adverts on the front page.

I hope you like it. Let me know your thoughts and suggestions!

CCIE Security it is then!

Although I am still on a bit of a high after passing my first CCIE, I am now considering which one to do next. Each CCIE expires after two years, and as it took me two years to get this one, I can't afford to sit around for too long.

In my previous post I laid out the pros and cons of the Service Provider and Security tracks.

I was in two minds, one seemed a logical continuation, the other was a logical move to something more pertinent to my role. But which to choose, ease, or sense? A couple of you guys helped out, which helped the sense part kick in.

So then next CCIE I am planning to get is the Security track.

It makes sense. I spend most of my time at work on ASA firewalls, so already that has lessened the learning curve - still a lot of learning to do, but it's certainly easier, than say Wireless.

I have been thinking of how to plan this, and so far the idea is:

Watch the INE training videos. There are two courses, both in excess of 60 hours each. There is probably some overlap between the two, but I'll watch them both anyway.

Do the INE courses. There are seven sections, and then five full scale labs.

Read some books. Read some more books, lab things up, practice and practice.
Take the written
Take the lab

I am not attaching any timelines to this, barring the fact that, at the very least, the written needs to be done before my current CCIE expires.

I also still want to finish the Multicast and QoS book that I have started to write, so that'll take a couple of months.

I also need to set up my "lab", which will be a mixture of UNetLab and physical equipment.

UNetLab as a base for CCIE Security

I should be able to do the majority of this within UNetLab (UNL).

There are a couple of bits that won't be doable in UNL, and that is the IP phone, and the Lightweight Access Point (LAP).

I have started to build the topology, using Arista vEOS switches in order that the port number be as similar as possible. But it looks a little like this at the moment:

I still need to add in the ISE1, ISE2, ACS2 and windows 2008 servers - but, in theory, these should run happily within Qemu, if not then they can be run as ESXi images and UNL will connect happily to them. The issue is going to be the memory requirements.

CCIE Security hardware requirements

So far this is what I need to be running (going by the INE topology):

Device	Quantity	Memory (GB)	Total Memory (GB)
Switches	6	1	6
Routers	7	0.5	3.5
ASA (8.x)	2	0.256	0.5
ASAv	2	2	4
IPS	1	2	2
vWLC	1	2	3
WSA	1	4	4
ACS	2	2	4
ISE	2	2	4
Windows 2008 Server	2	4	8
Windows 7 PC	1	2	2
Total			40

Some are rough estimates, but if I want to run it all it'll be around 40Gb of memory that will be needed.

This is more memory than I currently have in my ESXi server.

So that means I have some hardware requirements.

I am OK for physical switches, I have a 3750, some 3650, and some 3550s. I only really need one or two of these for the physical connections.

I need to get:

1x Cisco 7900 series IP phone (Approx £50).
1x Cisco Aironet AP (about £50).
Big-ass server/desktop to run ESXi on. There are a couple of good ones on the bay, a Dell 48Gb memory dual hexa core one for £650 (or a 144Gb one for £1400!), or some HP ones, but with those I'd need to buy the memory separately, which could quickly bump up the price.

It'll be about £800 for everything. I'll start getting the bits together after my holiday next week.

Now it's time to play with Qemu a bit, and see what will run within UNL.

Also - in the last post, I said that I might throw in a prize, well Bernd can you drop me an email, there's a £50 Amazon voucher (or your preferred currency equivalent) for you.

Which CCIE next: SP or Security?

Now I have a choice to make: Which CCIE track do I do next? I could just sit back and rest for a bit, but I think the CCIE is a bit like getting a tattoo, it's a bit addictive, also I will need to recertify within 2 years, so I need to do another one.

I passed my final CCNP on July 10th 2013, and passed my CCIE R&S on July 10th 2015. I have only just seen this, but it certainly was not intentional that I chose the lab date I did. So, we can figure that the next CCIE will take up to two years to complete. Hopefully it won't take that long, but 2 years should be ample time. At any rate, it pretty much means that I cannot afford to sit back for too long.

So far all of my certifications have been in the Routing and Switching domain, I started with CCNA, the did CCNP, and finally reached my goal of CCIE. But what track should I do next?

It will either be Security, or Service Provider. I don't have much interest in, or need for, Wireless, Voice or Collaboration. Data Center would be very useful, but getting regular access to the necessary hardware (for me) is not easy. I certainly cannot afford the $1m (list price) for the equipment either. So this leaves SP and Security. 

I am not going to start again from the CCNA for these, thankfully there are no prerequisites, so I can jump straight to the CCIE level. I think I can do this.

But which to choose?

CCIE Service Provider

Pros: The Service Provider track seems like a logical step on from the Routing and Switching. It centers heavily around BGP and MPLS, with either OSPF or ISIS as the IGP. I think I am pretty strong on these topics already, so it feels like a very logical continuation from Routing and Switching.

All of the SP topology can be run pretty easily within UNL (UNetLab), as it is 4 XRv routers and 10 CSR1000v routers, within a 32GB server. I could follow the INE workbooks with no problem.

Cons: SP track is not entirely relevant to my role, barring things like QinQ, whereas the Security track is.

CCIE Security

Pros: I spend most of my working day in our ASA firewalls, so it would make sense to do this track next. It will help me in my job more than the SP track.

Whilst it can all run within UNetLab, I will probably need more memory. This is not a show stopper, but I might have to repurpose my existing ESXi server, and build a new, more powerful one.

Cons: It does not look like so much of a quick win as the SP does. I think I could do the SP quicker than the Security.

Both are equally attractive subjects, so I really don't know what way to lean. Do I choose what seems (at the moment) to be the quicker option, or do the longer one which is more relevant to my current role?

So, kind people... what do you think I should do? Comment below (with reasons). I might even throw in a prize as I am in a good mood!

Riddle: What has two thumbs and five digits?

You can probably guess that I got "that email" from Cisco this morning. So it's the moment of truth.

Did I pass or fail?

I woke up this morning feeling tired. One of my boys climbed into bed with me, wriggled around for a bit then made me get up to make him breakfast. The other one is still asleep, unusual for him, but we did stay out really late last night. Part of me wanted to stay in bed, after all in a Schrodinger's cat kind of way, if I don't know that I have failed, that means I have passed, right? I think that's how it works.

Nevertheless, I am still nervous about the result.

I was not sure whether I'd get an email from Cisco by now, mainly because it is the weekend, so I would have allowed until Monday to hear back.

They sent the email at just after 5am this morning.

The email itself just directs you to the CCIE webpage.
This is what greets me:

Clicking on the "Pass" link takes us to another page:

So there we go. What's got two thumbs and five digits?

This guy.

I am CCIE.

I did it. I would like to know that actual scores, but now they are irrelevant.

I have the digits. Mission accomplished.

It's time to celebrate today. I can rest, I can enjoy time with my family again. I can spend my holiday (at the end of the month) relaxing and enjoying. This will be nice as I am sure my family would prefer me not to be studying for the fourth year in a row when we are on holiday.

I feel so relieved now. I have got some friends coming over later for a BBQ, so it's time to kick back and relax.

Once again I'd like to thank all of you who have encouraged me along this journey. It's not over yet, but I have reached a massive milestone.

So thank you guys for the support. I have the digits, and don't feel like I have let you guys down, as well as myself.

Time to go outside and smell the roses!

First CCIE attempt is over

So, let me start by saying that I don't know my result yet, it's nearly 11pm on a Friday night. I have a thumping headache, and after getting only a couple of hours sleep last night, I am feeling very tired.

Let me also say that I won't be breaking any NDA in this post (or outside of the post, so don't ask for any lab details).

That said, here's how my day went.

I got very little sleep. My body has a tendency to wake me up super early if I have something important to do, today was no exception. My alarm was set for 7am, brain woke me up at 5am. Screw you brain. Thanks a bunch. Managed to get an hour or so sleep after that, woke up feeling very groggy.

The shower at the hotel was decent enough, so that woke me up a bit, I got a coffee from Starbucks, and drove over to the Cisco campus.

The campus is very nice. I didn't take any pictures, already the nerves had kicked in, and I turned my phone off and stored it in the car.

I arrived about half an hour early, one of three candidates, the other two were taking the DC track.

We sign some paper work, and head up to the room.

I have got the most wobbly desk. It's like typing on a boat. I also have one of those keyboards with a really small enter key, and a \ next to it. So very frequently I pressed \ instead of enter, which got really infuriating for a while, but seemed to get easier (a little) later on.

We only have putty, no SecureCrt, or superputty. This is a little annoying, but you get used to it. The screen is a decent size though.

First up we have the troubleshooting section. I am whizzing through this, the first seven questions go really well, and the last two went well also. I did have to ask the proctor at one stage, but he couldnt help me. Everything was working fine, so it's my issue. I did solve that one myself though, so that was OK. Question 8, however, I could not get to work. It kind of worked, but not 100%. So I reckon I failed on that one. The annoying thing is that the first bunch of questions I whizzed through. Got stumped on #8, did 9 and 10 then went back to 8. Still couldn't get the output to match, I had bags of time, and even went into the 30 mins that could be used for the Config section. Still couldn't get it to work.

At this point I got really angry and stressed at myself. Routes were there, just things were taking the wrong path. I spent ages going over and over it. Getting more and more stressed. In the end I decided to move on, and save the time for the config section.

As a side note - I know a lot of people have mentioned that there is a fair amount of lag in a remote lab, but I found it perfectly fine.

Then we have the Diagnostic, which I think went OK. Again, I havn't got the scores yet, so it might have gone ok, or I might have bombed out completely.

Its about 11:30 by now, so I start the config section, covering all of section 1 before lunch.
The cafeteria at Cisco is very nice, but I just opted for an orange juice. Nerves had hit hard by then. I was till angry over the question I had failed to solve in the TS, so was stewing a bit.

The config section went pretty well (I think, we'll find out at some stage). I didn't leave any questions un-attempted, and the outputs matched what was required.

I finished with about 2 minutes to spare. It was close, and I know I picked up a couple of points in the IPv6 section that I would have otherwise missed if I had not had those extra couple of minutes that I chose to "lose" from the TS section.

So although I know I lost some points in the TS, I gained some in the config.

I walked out feeing very uncertain. If I had got all of the TS tickets, then I am sure that I'd have a passing grade, as it stands now, I really don't know.

I then spent about 2 hours on the M25, before getting home and meeting my wife and kids at the family-do at the local cricket club.

Now it's 11:20pm. I am tired, a little drunk, and off to bed. Still none the wiser as to whether or not I have passed. Though the title of this post should be an indication of how well I think I did.

Before I go though, I'd like to say a big thank you to all of you who have wished me well for today, either through the blog, through twitter, or via any other means. It meant a lot, and thank you.

Night all.

The day before the CCIE lab

I have checked in to the hotel. It's nothing fancy, but it is close, it has beer, and the staff are friendly.

I am now known as Mr. Reese, due to my Reese's chocolate t-shirt. That's the kind of welcome I like after a 2 hour drive into outer London. 

So did I manage to keep up to my schedule for the week? Yes and no. I got called into a meeting at work, and spent a very large part of Tuesday building a lab to solve the work issue. 

Other than that, it has pretty much gone according to plan. I have watched the majority of the INE cram videos, and picked up a couple of tips in the way. I did another 360 config, and learned from my mistakes. 

I pushed myself for most of the week, but totally slacked off today. Being the day before the exam, you'd think that I would be pulling out all the stops and getting every last little bit of information that I could, however, to be perfectly honest, I am feeling tired and a little bit burnt out. 

It's been a good week, but tiring. 

The CCIE is no easy effort. It requires time, dedication, and is an exhausting process. 

So do I feel ready?

Not sure really. 

My good friend and colleague from work passed his on Monday, and given the external factors he's had to contend with, I really must congratulate him on passing when others in the same circumstances would have let these factors overwhelm them, and not be able to pass. So he's done great, and it really gives me a good feeling that I can pass this. We have bounced ideas off each other, worked through scenarios and spoken at great length about the process needed to do well, and it is a process, especially in the troubleshooting section.

When I sat Narbik's course and he said that if you have the right process then you will pass, I sat there thinking "There's a process?how do I get a process?", well actually that came pretty easy in the end and I think I have one that should serve me well. It's nothing magical, it's just a list of command to cover most eventualities, and hopefully it'll work tomorrow. 

Tonight is all about the final pointers; get my aliases in my head, a bit of light reading, and an early night. 

It's up early tomorrow, I plan for a 7am start, grab a Starbucks, and off to Cisco!

After one last beer. 

Cheers!

GNS3 vs. IOU poll - who won?

I have been running a poll on the site to determine whether people would prefer the next volume (Multicast and QoS) to be designed for IOU or, like the previous three volumes, for GNS3.

At the start, IOU steamed ahead, but then GNS3 started to catch up.

The poll has now closed. We had 67 people take part. The end result?

IOU won by a large margin.

If it had won by any more, then the pie chart would look like Pacman.

So the book will be designed for...
UNetLab.

Here's why.

1. On the basis that if people are using IOU, then they will have probably heard of UNetLab.
2. If people have IOU images in IOU, they can be used in UNetLab.
3. UNetLab offers support for more systems then IOU, therefore we can have a Linux VM and PROPERLY test multicast AND QoS.

The thing about Multicast (and QoS) that it is hard, in a closed environment such as IOU, or even when you are restricted to just using routers and switches, is that you have to take output as an indication of whether something is working or not. If you could actually see a multicast stream, i.e. a video file playing on VLC, then it's easier to see cause and effect.

UNetLab will allow for a nicer book, we'll be able to see video being multicasted, and also implement QoS restrictions on this as well, rather than just seeing an ICMP response. 

It'll be fun, as networking should be.

7 days to go - it's CRAM TIME!

This time next week I should be firmly ensconced in my hotel room, or hopefully, the bar at the hotel, ready for my exam in the morning.

So, how best to spend the remaining few days?

Well, it's kind of a matter of what I can fit in, really.

Friday

I am working tomorrow, from home, so might be able to do a little bit of study then. Let's say 2 hours.

Weekend

I promised to take the twins to see the Minions movie (which I am also pretty excited about seeing), and we have a BBQ to go to.  I should be able to get about three hours a day. So far we are at 8 hours.

Monday - Friday

The twins go to nursery on Monday and Tuesday, so if I take them and not my wife (she might be working), then I can start at about 9:30. If I have to pick them up again then that gives me 6 hours a day. 20 hours.

Wednesday I should have 9-5. 8 hours, bringing me up to 28 hours.

Thursday I will drop the boys of at my mums, back by 10:30, say I leave for the hotel at 6pm, then that's 7 1/2 hours. A drink and a bit of light reading of notes at the hotel, add on another hour, two maximum. Let's call it an hour and a half for the sake of maths, that gives me a further 9 hours.

Realistically I have 37 hours. I might be able to squeeze a few more here and there.

So what can I do in less than 40 hours to try and ensure I get the result I want?
All play and no work makes Stuart a non-CCIE

Well the good news is that my initial addiction to Fallout Shelter has reduced to a couple of hours, spread out over the course of the day, meaning I am less likely to waste this time. I can reserve this for before 9:30, lunch and after I finish.

Doing a 360

I have a couple of Cisco 360 configuration labs to go through. These take about 4 1/2 hours each. 9 hours to do both. I also have a couple of their TS labs at 2-2 1/2 hours each.

INE out, INE out, CCIE all about

Thanks to all you lovely people who have bought my books, I purchased an INE All Access pass. So far (and I only got it today) I am really impressed. Well worth the $599 for a year, and it'll be great for the Service Provider track that I plan to do next, and the CCDE after that (though doing both in a year might be pushing it a bit, given how long its taken me to get this far). Anyway, INE have recently done an Exam Cram series, a bit of last minute revision, which is 35 1/2 hours worth of videos.

But to do this course and both the 360 labs probably won't work. I can't do both at the same time, as either I won't pay attention to the course, or to the mock-lab. So both (and I) will suffer.

Assume, for a moment, that I can squeeze in a couple more hours here and there, which, in order to do both needs to be just shy of 10 hours, then I could, feasibly do the following:

Friday: LAN/VLAN, STP, EtherChannel (INE) - 2 hrs
Saturday: WAN, PPPoE, PPP, EIGRP (INE) - 3 hrs
Sunday: OSPF (INE), 360 TS - 4 hrs
Monday: BGP, MPLS (INE), 360 Configuration - 9 hrs
Tuesday: VPNv4, PE-CE, DMVPN, Multicast, Services (INE), 360 Configuration - 10 hrs
Wednesday: Mock lab 2 (INE) - 8 hrs
Thursday: Mock Lab 1 (INE) - 7 hrs

Total: 43 hours. Somewhere I have to find an extra six hours, which could be pushing it. I am trying to be realistic about the amount of time I have. If I can get more, then it's a bonus. But still, counting down the hours is a bit scary.

Should be an interesting seven days!