Title: CCIE SP Lab Checklist

Author: Stephen Bowes

Version: 3.0
Date: November 2009

Abstract:
This is a compilation of notes, gotcha's, pointers, etc from my research in preparation for my
upcoming CCIE SP Lab exam which I have acquired over many years. Please feel free to
notify me of more improved ways to those listed below and or errata through my CCIE blog at
cciesplab.wordpress.com or by email at cciesp@rocketmail.com.

Points Scoring and Timings:

I am conscious of the number of candidates who have failed due to running out of time. There
are a number of reasons for this, here they are and proposed solutions.

Reasons for Failure: Solutions:

Misinterpreting the questions
Typing in the right configuration
on the wrong interface or router
Tasks taking too long to
configure in the time window
available
Lack of Task Verification
Read the question more slowly, read it again, do not over-
engineer the solution, answer what is asked, confirm any
doubts with proctor, if proctor answer unacceptable, ask
the same question a different way again.
Tread carefully, cross-check and reference, validate before
moving on.
Practise speed drills, type faster, use aliases, notepad for
verbose configurations, and use the Doc CD less if
possible. Configure technologies router by router rather
than interface by interface [explained later]
Failing to fully verify – ensure you use the three way
approach [1] Ping, [2] Trace Route & [3] Routing Table

To this end my timing plan is as follows -> Total Time = 8 hours = 480 Minutes. Lab Points
Total = 100 Points, allowing 30 minutes for opening moves [see below] and 50 minutes for
checking, validation and verification at the end, gives me 400 minutes for configuration
=> 4 Minutes/Point.

Pre-Lab Actions:

1 Month:
Adjust your body to performing 8 hour labs - Stamina will be key - you will be no use to
anyone if you get tired after 5 hours of labbing. With 1 month to go ensure you are not doing 4
hour mini-labs rather the longer ones.

1 Week:
Adjust your body clock to the lab time. In my case I work 11am-7pm GMT whereas the Lab
Exam in Brussels starts at 0745. This is 0645 GMT so with a week to go I will be up,
showered, and had breakfast and sitting at my desk at 0730 to start an 8 hour lab with lunch
at 12 for 30 minutes. I need to be fully alert at 0745 on Lab Day.

Lab Exam Day:

• Get as much sleep as is feasible the night before, up, showered, breakfast complete
and be at Cisco by 0730. I booked into the nearest hotel I could find 250m away so
no reliance on transport, etc.
• Bring a number of layers of clothes in case the room is cool, bring ear plugs so that
the 11 guys/girls typing next to you and also so that the CCIE Voice candidates
testing faxes will not interfere with your concentration levels.
• Documentation Location is http://www.cisco.com/web/psa/products/index.html

15 Minute Immediate Action: Anyone who has served in the military knows what an
Immediate Action is – when something goes wrong a backup plan – in this case I’m going to
move on if I cannot get any 3 pointer completed within 15 minutes ensuring I finish the lab!

Page 1 of 7
Lab Action Plan: [Note: All times below are estimates and dependent on points values as per
timing plan noted above]

Opening Moves: [30 Minutes: 0800->0830]

• After the proctor instructions, take a minute, calm yourself, open the booklet, read the
exam end to end, visualise the Bridging/Switching, IGP, EGP, MPLS, etc.
• Draw a personalised diagram of the topology - Note: This is a talking point, some do,
some don't, and I think it’s advantageous especially from an IP/Interface perspective.
• Ignore the rush of the other candidates typing or the urge to get started.
• Create a point checklist on the rough paper provided. Here is my example.

Example Point Checklist:

Task: Section: Points: Time: Completed: Total Comments:

[Mins] Points:
Switching 1.1 3 15 Yes 3 Watch
security
requirement
section 7.2
Switching 1.2 2 10 Yes 5 All ok
Switching 1.3 2 10 No, moved on 5 Look up
DocCD to
confirm
solution.

Troubleshooting: [15 Minutes: 0830->0845]

A number of faults may have been entered into the pre-configured devices. Check your
SecureCRT software – can you see each of the devices? Reload each device, look for any
hardware errors on boot-up, now is the time to spot this, not 11am.
As any issues could have been introduced check everything, IP Addresses matching
Interfaces, subnet masks, FR DLCI’s, FR Inverse-Arp, pre-defined VLAN’s, VTP Modes on
3550’s, watch any pre-defined configurations configured on correct interfaces, ATM
configurations, NSAP, IP, IP CEF, etc, etc.

I am not an Alias guy but now would be the time to do this, type these into notepad and cut &
paste onto the routers ‘show run | b Se’ – Remember for large or repetitive configurations
such as BGP, use notepad and then copy and paste but be aware of changing values such as
IP’s, subnets, etc as you copy and paste.

♦ Bridging & Switching:

Frame-Relay: [15 Minutes: 0845->0900]
• Use your diagram to draw out the FR Topology
• A lot of this may be pre-configured so verification doubly important
• Use [1] shut [2] enc frame-relay [3] no frame inverse-arp [4] no shut.
• Decide to use either frame-relay map or use sub-interfaces
• Ping from spoke to spoke if possible to validate.
• Extra mapping required if required to ping your own interface
• If PPP over FR, then always create VT first, user/password
• Save, reload, and then verify all working.
• FRTS – Know your CIR=Bc x 1000\Tc; Be=(AR-CIR) x Tc/1000.
• DocCD Location => Main URL = http://www.cisco.com/web/psa/products/index.html
– Cisco IOS SW Release 12.4 Family – 12.4 Mainline – Configuration Guides - Cisco
IOS Wide-Area Networking Configuration Guide, Release 12.4.
• Verification Tools - ping, show frame-relay map, show int virtual-template, show int
virtual-access, show traffic-shape, show interfaces serial, show frame-relay lmi, show
frame-relay pvc, clear frame-relay inarp, clear interface, debug serial interface, debug
frame-relay lmi, debug frame-delay events, debug frame-relay packets
=> Golden Moment: Frame-Relay is the spinal cord of the inter-network, it must be 100% <=

Page 2 of 7
Switching: [15 minutes: 0900->0915]
• Check VLAN’s as per instruction
• Check VTP Modes
• Check Trunking & Access Ports
• A lot of pre-configuration completed so use the verification commands below.
• Ping vlan by vlan. Select only one device and ping all other on a specific vlan.
• If naming something, type it exactly as specified – Ref: Narbik
• Specify both Duplex and Speed as Auto-Sense can be troublesome – Ref: IEMentor
& Gorito
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS LAN Switching Configuration Guide, Release 12.4
• Verification Tools => show interfaces, show interfaces trunk, show vlan brief, show
vtp status, clear interface

Cell-Mode MPLS: [15 Minutes: 0915->0930]

• Configure any ATM interfaces required – PVC/SVC, NSAP Addressing,
• Watch for tag-switching or label-switching.
• Security authentication may be required
• Use ping to verify
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS Asynchronous Transfer Mode Configuration Guide,
Release 12.4
• Verification Tools => show interfaces, show atm pvc, show atm svc, show atm map,
show atm traffic,

PPP/Ethernet: [15 Minutes: 0930->0945]

• Configure PPP/PPPoE as required, PPPoE enable, pppoe-client, interface dialer, etc.
• Know security configurations, ping and validate.
• Be aware of IOS nuances with these types of features.
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS VPDN Configuration Guide, Release 12.4 & Cisco
IOS Broadband Access Aggregation and DSL Configuration Guide, Release 12.4
• Verification Tools => show pppoe session

=> Golden Moment – Bridging & Switching Complete – Total Time 1 Hour 45Mins <=

♦ IGP: [Note that probably only one of these will be the core IGP]
OSPF: [30 Minutes: 0945->1015]
• While reading the task, use your master diagram to configure OSPF router by router
not area by area. Look for the following OSPF characteristics.
• Authentication, stub or nssa, virtual link
• Refer again to your master diagram, colour in the OSPF areas.
• Make a note on redistribution, summary, area-range, DR/BDR, OPSF network type.
• Get Area 0 working 100% first.
• Ensure Area 0 Contiguous, test, create GRE/Virtual-links, and test again.
• Configure other areas.
• Leave OSPF Security until last.
• From a time perspective, router by router saves you revisiting router and typing in
additional commands after the fact.
• First Interface and then router ospf

Page 3 of 7
Preferred sequence for configuring interface
1) OPSF network type based,
2) priority,
3) Authentication,

Preferred sequence for configuring OSPF process

1) router-id
2) area authentication,
3) neighbor,
4) Network (copy paste from interface address)

• Validate everything is working (show ip os ne, show ip os vir, show ip os interface,

show ip route)
• Do redistribute summary, area range, filtering [Be Careful!]
• Validate and verify prior to moving on.
• Save Configurations,
• Reload routers and final verification.
Note: Some candidates do not reload, some do – I will.
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS IP Routing Protocols Configuration Guide, Release
12.4
• Verification Tools => show ip ospf, show ip ospf interfaces, show ip ospf neighbor,
show ip ospf database, show ip ospf virtual-links, debug ip ospf events, debug ip ospf
hello, debug ip ospf packet

IS-IS: [30 Minutes: 1015->1030] – Same as OSPF – Allowing additional 15 minutes in case
both are present.
• This has been noted by previous candidates and having quite a bit to do on the SP
Exam! Refer again to your master diagram, colour in the ISIS areas.
• Configure ISIS on relevant routers
• Note what ISIS Levels are required – 1 or 2,
• Assign appropriate NET addresses
• Remember unlike other IGP’s, ISIS configured at Interface level and is essentially a
L2 protocol.
• Verify adjacencies
• Due to ISIS only knowing two forms of media – LAN or point-to-point -> use the
frame-relay map clns command to create maps for protocol to run.
• Configure any ISIS filtering/redistribution
• Configure Authentication if required.
• Configure any additional ISIS nuances/parameters such as metrics/timers, etc we
encounter.
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS IP Routing Protocols Configuration Guide, Release
12.4
• Verification Tools => show isis database, show isis topology, show clns protocol,
show clns interface, show clns neighbors.

=> Golden Moment - IGP Complete – IGP Time 1 hour – Total Time 3 Hours <=

Page 4 of 7
 ♦ BGP: [60 Minutes: 1030-1130 – dependent on points]

• While reading task, draw BGP topology on master diagram, this is important.
• Determine Route Reflector or confederation or both to do full-mesh iBGP.
• See if neighbor peer-group is required,
• Configure router by router not BGP session-by-session
• Configure one AS then another – be AS focussed.
• Ascertain required address families & configure – ipv4, vpnv4, ipv4 vrf, etc
• Ensure reachability, one AS at a time.
• Spend enough time to be absolutely correct on route-filtering (ACL, prefix-list, as-path
filer), route-aggregate(w/ as-set, summary-only, supress-map, attribute-map,
advertise-map), route-manipulation( w/as-prepending, med, local-pref, weight, next-
hop, advertise-map/non/existing-map, origin, community, etc ) route-dampening, etc.
• Resolve any next-hop-self issues which are easier to troubleshoot working one AS at
a time.
• Validate config. Use "clear ip bgp * soft "not", clear ip bgp *.
• Leave BGP Authentication until last.
• Save, reload and test.
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS IP Routing Protocols Configuration Guide, Release
12.4
• Verification Tools => show ip bgp, show ip bgp summary, show ip route bgp, show
ip bgp neighbors, show ip bgp neighbors neighbor-ip-address, debug ip bgp

=> Golden Moment – EGP Complete – Ensure full Reachability Maintained, Save Configs <=

Reachability Test: [Before lunch if possible followed by reloading routers]

Test full reachability with TCL Script. Check you get an ICMP response from every router to
every router. If ping has no response, write down IP address and troubleshoot.
The master diagram will help here. Method involves - show ip alias, Copy to Notepad, Search
and Replace to "Massage the Data and toss in the PING Command), Wrap what's left in a
TCL or Macro, Copy and Paste into a Router.

Run tclsh script

"foreach addr {
1.1.1.1 <http://1.1.1.1
...
} { ping $ addr}" Just copy past after tclsh - To quit, just type " tclq". Also to quote Scott
Morris -> I'd leave "debug ip routing" turned on through the rest of the day. It can be a quick
indicator to things getting messed up (like when you add ACL’s or play with NAT!)

♦ MPLS: [30 Minutes: 1130->1200]

• Tag Switching v Label Switching, when to use which ones – Watch for IOS Bugs
here!
• Watch any integration with EGP
• MPLS might be the final piece of the jigsaw for full lab reachability.
• Cell Mode v Frame Mode
• MPLS Traffic Engineering – Levels, metric-style wide, ip explicit config, RSVP? etc.
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS Multiprotocol Label Switching Configuration Guide,
Release 12.4
• Verification Tools => show mpls forwarding-table, show mpls interfaces, show mpls
ldp neighbor, show mpls ldp parameters, show mpls traffic-eng autoroute

Golden Moment – Lunch – Reachability, Save Configurations & Reload.

Page 5 of 7
Afternoon Session:

♦ SP Management: [15 Minutes: 1230->1245]

• Know SNMP, setting up community strings, traps, RMON, pointing at various devices,
etc
• Netflow, destination address, port no, version, etc
• NTP, master, server, source, etc.
• Know about various IP Services available in the IOS
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS NetFlow Configuration Guide, Release 12.4 & Cisco
IOS Network Management Configuration Guide, Release 12.4 & Cisco IOS
Configuration Fundamentals Configuration Guide, Release 12.4
• Verification Tools => Multiple Commands.

♦ SP Security: [30 Minutes: 1245->1315]

• Be careful not to block or drop any IGP updates; Draw a flow on paper if required
• Consider all options for classification - std/ext/reflexive/dynamic ACL, IP Prefix List, IP
inspect, tcp intercept, Unicast RFP, ip accounting output packet /access-
violation/precedence.
• Be aware of various ways to configure MD5 for IGP, some of this may be completed
via the IGP\EGP sections, ensure you have read ahead at the start of the lab.
• When configuring Switchport port-security mac-address, be careful to include virtual
and physical mac if HSRP is running
• Know response planning to common security attacks such as DOS, Smurf, etc.
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS Security Configuration Guide, Release 12.4
• Verification Tools => Multiple Commands.

♦ MPLS VPN: [75 Minutes: 1315->1445]

• So much here: VRF, VRF-Lite, MP-iBGP, MP-eBGP, Important to map out on your
master diagram, the flow/direction of the VPN Traffic so that the correct configuration
can be applied to the correct interface on the correct router in the correct direction!
• MP-BGP filtering, specifying route-targets, etc
• PE-CE Routing, RIP - Watch Split-Horizon is off on physical FR and ATM,
authentication, version, auto-summary, etc; Other IGP/EGP considerations configure
router-by-router, Advanced Options-CSC, Internet Access, Central Services, etc.
• Be aware of various backup routes for the VPN traffic in the event of line/router
failure, redistribution of PE-CE to Core and vice versa.
• Be aware of VPN and Frame Relay specific limitations
• GRE/mGRE tunnels, when to use, how to configure.
• Be able to provide Internet Access from one portion of the inter-network to another.
• Be able to exchange EGP traffic across AS’s, watch next-hop, watch multi-hop, etc
• QinQ/PPoE – benefits = reduce no of VLANs, scalability, encap dot1q, pppoe
enabled, etc.
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS Multiprotocol Label Switching Configuration Guide,
Release 12.4

Verification Tools => show ip vrf, show ip route, show ip route vrf vrf-name [prefix], show
ip cef vrf vrf-name [ip-prefix], ping vrf, show ip bgp vpn all summary, show ip vrf detail, ping vrf
<vrf> <ip address> source <source ip>, sh ip bgp vpn all summary, sh ip bgp vpn all, sh ip
bgp vpn vrf <vrf> summary, sh ip bgp vpn vrf <vrf>, sh ip bgp vpn vrf <vrf> labels, sh mpls
forwarding, sh mpls forwarding | inc <prefix>, sh mpls forwarding vrf <vrf> <prefix>, sh mpls
forwarding label <label>.

Page 6 of 7
 ♦ SP Multicast: [30 Minutes: 1445->1515]

• Setup PIM Mode as required – Sparse/Sparse-Dense – Use address-family ipv4

multicast were required
• Identify PIM RP or Bootstrap requirements
• Don’t forget ip multicast-routing and/or ip multicast-routing vrf <VRF>
• Be aware of route filtering
• Join any IGMP Groups if required, check with pings,
• Check Unicast and multicast traffic work across different AS.
• Multicast VPN, default MDT, data MDT, MDT Group Addresses, MSDP, etc
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS IP Multicast Configuration Guide, Release 12.4
• Verification Tools => show ip igmp groups, show ip pim rp mapping, show ip
mroute, show ip interfaces.

♦ SP QoS: [30 Minutes: 1515->1545]

• Be careful not to block or drop any IGP updates

• Draw a flow on paper
• Interpretation of what is required & which QoS Method to use is Key!!
• Determine classification method (ACL, NBAR) and direction.
• Determine Shaping v Policing
• Consider all options for queuing (legacy custom/priority, bandwidth/priority, shape
average/peak, FRTS/GTS) – Always Outbound.
• Consider all options for policing ( police, rate-limit, ip multicast rate-limit, aggregate
police( 3550))
• If frame-relay, don't forget adaptive-shaping.( becn, fecn, foresight)
• Consider all dropping mode (random detect, ecn, tail drop, marking, etc)
• DocCD Location => Main URL, Cisco IOS SW Release 12.4 Family, 12.4 Mainline,
Configuration Guides, Cisco IOS Quality of Service Solutions Configuration Guide,
Release 12.4
• Verification Tools => show ip rsvp, show class-map, show ip rsvp reservation, show
mls qos, show policy-map, show queueing, show traffic-shape, etc.

Timings & Tips:

• According to this schedule this allows me 45 minutes for checking, saving, reloading,
troubleshooting, going back to skipped sections, etc.
• Remember the pass mark is 80% not 100% - we can allow for 6 sections worth 3
points each not to work out and still pass!!!!
• Route Filtering – Know this cold, affects several areas, pass or fail the lab on this
alone IMO!
• Skipping Difficult Sections – This is a dangerous but potentially rewarding path up the
mountain but slippery and easy to fall down on – Risky Approach.
• Redistribution – Say no more, need to pass routes, this is it – potential failure point.
• Strategy has to be flexible depending on the progress through the day.
• Ensure the “gimme” questions are answered 100% - These are key to success.
• Ongoing Validation, via show commands and TCL Script, saving and reloading at
least twice I believe is essential.
• Speed accessing resources on the DOCCD is essential – should be less than 90
seconds lookup per topic.
rd
Authors Note: Please feel free to contact me if you can add value to this 3 Edition as I
would like to think this can help other SP candidates with a lab structure going forward.

Page 7 of 7