Tuesday, February 28, 2006

2 Law

One guy saw my Metro Ethernet score report this morning and asked me the question: why I keep doing this CCIE stuff. Why I keep taking CCIE lab even there are lots of misery during the journey: losing social life, bunch of money, and all the excitements in the world only for one damn 8-hours exam.

Well, my answer is simple:
- Because it’s fun
- Because last year, when I was still only a CCIE, I tried to apply to Advance Services Team in Cisco Middle East and I got rejected because I was not “qualified enough”
- Because I want to learn new stuff and CCIE is the only thing that can accommodate me

I have invented something that I called 2 Law of Desperate Workers:
Law 1: To get a better job, you need to have good experience and build good working experience profile
Law 2: In order to get good experience and build good working experience profile, you need to work in a better job

So far I use CCIE to solve the 2 Law issue. Well, it won’t give me large scale deployment experience, but at least it’s close enough to make me able to design, setup and troubleshoot complex technology in much smaller scale. So to learn MPLS in deep detail, CCIE Service Provider is the answer.

But the scariest question for me now is: how if I become triple CCIE later this year and still can’t get a better job? What kind of excitement that I can get other than working on fancy features in Cisco boxes? Doing another CCIE by my own is getting harder, because the other 2 tracks left are Voice and Storage. With my current situation, it’s almost impossible to build those 2 labs at home. It’s just too expensive. And until now I’m not interested enough to take that path.

So hear me you guys in Cisco Systems, please accept my message, Mr. Chambers: I’m willing to work in Cisco Systems Advance Services Team in any location in the world.

Why Advance Services?
Because I know people in Advance Service dealing with analysis and diagnosis of highly complex networking problems and complex network designs, up to builds simulated networks in test labs to resolve highly complex problems and compatibility issues. It’s a very challenging job and it gives me a chance to help all Cisco customers directly just like what I have been doing with my current company, with larger scale. And of course, with @cisco.com behind my name.

Why Cisco?
Everything I know related to networking I learned it from Cisco. My bookshelf is full of Ciscopress books. Everytime I want to know about new networking technology, I always refer to Cisco website first. I use Cisco certification to advance my career. I read Cisco books to get clear explanation of RFC. So working for Cisco directly, is just like going home to me.

Why anywhere in the world?
Well, if I had privilege to choose than I wouldn’t write this in my blog and expect someone from Cisco to read it, right?

So until I get the offer from the “better place”, I will keep myself busy in CCIE Service Provider track. I will try to borrow some 7200 routers so I can test EoMPLS Martini and Interworking, several new magical things in networking world. At least for me.
Who knows what will happen after I pass my third CCIE. But at least let me enjoy every second of this journey.

And btw, if you are reading this and know some opportunities and you think it may makes me happy, please let me know. Thanks.

Monday, February 27, 2006

30 Going Triple

I have just passed the CCIE Service Provider – Metro Ethernet written exam today. Half of the questions were about general networking concept and routing switching stuff, while the other half focused on Layer 2 VPN technology: pseudowire, VPLS, AToM, Interworking, Local Switching etc. It took me less than an hour to complete the test and I don't bother about the score because I just want to pass.

Following is the material I used to study:
Halabi’s Metro Ethernet book
Layer 2 VPN Architecture by Wei Luo etc
Re-read Ivan’s MPLS VPN book
This is not required, but I read some chapters from Osborne’s Traffic Engineering (TE chapter from Halabi book is enough for the exam)
And definetely my favorite resource: Networkers Online presentation. I love the L2VPN troubleshooting session with Dmitry Bokotey.

For me, passing CCIE written doesn’t mean anything except makes me eligible to register for the lab. I have mentioned in one of the points in How to Become CCIE: studying written won’t help much in real lab. The reason is because the coverage in written exam is different with the lab.
Metro Ethernet exam focuses on Layer 2 VPN, while the lab focuses on MPLS VPN, MP BGP, TE, multicast, QOS and Security in Service Provider environment, and normal routing switching stuff.
According to Tong Ma, CCIE SP lab proctor in San Jose, and Vincent Zhou, the CCIE SP Program manager, there is no lab in the world that has 7200 routers to test Layer 2 VPN. IOS 12.0 S is required to deploy L2VPN and this code can run only on 7000 series router and higher. So it’s coming, they said, but until all the lab hardware has been upgraded, L2VPN won’t be tested.

I’m planning to become Triple CCIE when I’m still 30.
So it means I have only 10 months left.
It's time to get dirty again.

Friday, February 10, 2006

How to Become a CCIE

Cracking CCIE Security Lab
By Himawan Nugroho, CCIE #8171 (R&S, Security)

Two weeks ago I passed my CCIE Security lab. It was my 2nd attempt in Brussels. I passed my CCIE Routing & Switching lab 5 years ago in Tokyo on 2nd attempt too. I become double CCIE in R&S and Security without taking any trainings or bootcamp. Only with self-study, countless hours in my home lab, and lots of Starbucks Mocca Frappucino.
Based on my experience taking 4 lab attempts, I try to write down the summary how I did it. This how-to is specific to CCIE Security lab, but the general idea can be applied to any CCIE tracks.

Scott Morris
, Quad CCIE, wrote the article 'So You Want To Be a CCIE?' and it's really worth reading. Yusuf Bhaiji, CCIE Security lab program manager and the author of CCIE Security Practice Labs wrote 'Insider's Tips on Earning Your CCIE in Security' in Packet Magazine August 2004 page 18.

I'm not trying to compete with them. They are the masters. I'm just another guy who has just passed CCIE lab recently and willing to share his way.

So here it is, my version of Cracking CCIE Lab:

1. Start with the self-assessment

Are you sure you want to do CCIE? As you may already heard: yes, CCIE is difficult, very rare people can pass in 1st attempt. Yes, CCIE is expensive, only the exam fee is $1250 and you still need to spend money to build home lab, buy books and workbooks and other resources. And yes, you certainly will not have your social life during the journey.

But if you really want to do it, if you really want to distinguish yourself and stand out from the crowd, I suggest you to do self-assessment as the first step.
Read CCIE lab blueprint. For Security lab, it's on here.

CCIE blueprint will tell you the coverage of the lab and areas you need to focus on during your study. Then ask your self: are you familiar with those technology listed in the blueprint? If you have 4-5 years experience working in Cisco partner deploying Cisco security solutions on the field, you should know at least 60 to 70% of the blueprint easily. Then you just need to study for the rest 30%.
But even you don't have much experience and feel completely lost reading the blueprint, CCIE lab is still achievable. Continue reading.

2. Use other certification as steeping stone

This is optional if you think you need some help for your study. Cisco has created certification career from basic, medium to expert level, which is CCIE.
Read the complete information here.

For CCIE Routing & Switching, CCNP can help you to learn routing, switching, Remote Access technology and troubleshooting skill.
For CCIE Security, you must learn Cisco security technology and you still need to deal with some Routing and Switching because the network in your lab must be built first before you can secure it.
So to learn Firewall, VPN, IDS and Router security at a time, you can use CCSP certification.
And to learn Routing, I recommend to take CCIP.

Why CCIP? Because in CCIP, you will learn about IGP Routing and BGP in advance. And you will learn Quality of Service. QOS is important because there are lots of attack mitigation techniques can be done using QOS. For example, instead of dropping ICMP flood traffic we can just limit the bandwidth, so we still can have legitimate ICMP traffic.
The MPLS exam is not important so you can either skip it or just take it and become CCIP.

Most of the switching part in Security lab is pre-configured. So you can just start by learning the security technology in Cisco 3550 switch. That should be enough for switching part. And this is one of the reasons why I don't recommend CCNP for CCIE Security lab but CCIP instead.

Taking those certifications give you benefit to learn specific technology at a time and even you are not a CCIE yet, at least you will achieve CCSP and CCIP. Something is better than nothing.

3. Build your home lab

I believe having a home lab is compulsory. You can always rent a rack but you will have a fix schedule with them. With home lab you are the one who controls the schedule. And you can always try in your home lab directly every time you read something interesting or you just want to test the option in some IOS commands.

If you have tight budget, at least you should have few routers at home.
My recommendation for minimum home lab: 5 routers and 1 switch.
The cheapest routers that you still can use for CCIE lab is 2610 series.
They can run IOS Firewall natively and if it's required you can boot Enterprise software for 2600 XM series with this trick.
You can find Cisco 2610 with less than $200 on eBay.
Don't go to 2611 or 2620 since they only offer more interfaces or Fast Ethernet but they still run exactly the same software with 2610. You don't need Fast Ethernet for sure and you can always create trunk to have multiple interfaces.

Buy 1 Cisco 2522 or 2523 as Frame-relay switch. Obviously you need WIC-1T modules and V35 back-to-back cables. Cisco 3550 switch, the one currently in CCIE Lab, is expensive so you can replace it with 2950 model. Cisco 2950 can't run routing and all enhance Layer 3 features, but you still can test those with rental lab.

For Security lab, you must have a PIX firewall. Either the smallest series, 506E, or franken PIX.
With 506E you have only 2 interfaces but again, you can make them as trunk to have multiple interfaces.
If you have option to buy either VPN concentrator or IDS, get the VPN.
Or you can rent a rack for several hours only to practice both of them.

So, with 4 Cisco 2610 routers, 1 Cisco 2522 FR switch, 1 Cisco 2950 (without Giga ports), 1 PIX 506E, and several WIC-1T modules and back-to-back cables, your home lab should not cost you more than $2000. And all of these can be sold once you pass.
You still need to spend some money to rent a rack, at least to practice VPN, IDS and 3550 features.

4. Passing written exam doesn't mean anything

Based on my experience so far, I found out that studying written exam can't help you much in the lab. Most of the time the material covered in written exam is completely different with the lab.

So until Cisco makes the written exam more related to the lab, I suggest to just pass it, even if you have to cram the material or use some practice test.
My suggestion is to read the written exam book just like CCIE Security Exam Certification Guide and then practice the questions using product like from boson.
With one note: don't trust the answer from any practice test vendor. Find out the answer by yourself from CCO or Internet and this will accelerated your study. This kind of attitude will help you in the lab later on.

Passing CCIE written doesn't mean you are a half-CCIE. For me, it doesn't mean anything in fact. It's only a pre-requisite exam that you must take before you can register for the lab.
Nothing to be proud of even if you score 100 in written. Last time I took the exam the passing score is only 70. Get 71 to pass and register for your lab. That's what matters.

5. Read a lot

No single source can make you pass CCIE lab. You really need to read a lot from different resources: Cisco website, RFCs, Networkers, Ciscopress books, study forum, CCIE workbooks and any related links on the Internet.

Following is the list of resource I used during my CCIE Security study:

1. Cisco configuration example and TechNotes
2. Cisco technology support
3. Cisco documentation CD (univercd), which is basically the same with product configuration guide
4. Networkers Online presentation, it costs me 200 bucks but provides complete Networkers 2005 presentation in Las Vegas with sound and slide
6. Ciscopress CCIE Security Exam Certification Guide - H. Benyamin
7. Ciscopress Network Security Principles and Practices - Sadat Malik
8. Ciscopress Cisco ASA and PIX Firewall Handbook - Hucaby
9. Ciscopress Cisco Router Firewall Security - Richard Deal
10. Ciscopress CCIE Security Practice Labs - Yusuf Bhaiji
11. CCIE Security Workbook from Trinetnt
I have other CCIE Security workbooks from IP Expert, Internetwork Expert, 6colabs, Hello Computers, and CCBootcamp.
But during the last 4 months before my exam, I had been focusing only with Trinetnt. As per date, they are the most decent workbook and they cover almost everything in CCIE blueprint.
12. CCIE Lab forum: SecurityIE and trinet forum

Just FYI, I have already passed CCSP, CCIP and I have more than 5 years experience with various Cisco security products before I started my CCIE Security journey.

6. Build your speed

Okay, now it's time to practice and try all the technology listed in CCIE blueprint in your lab. Start slowly. Learn single topic at a time. Try to really understand all possibilities in one technology before move to different topic.
This is where the CCIE workbooks can really help. Good workbook like the one from Trinet provides minilabs to focus on single topic at a time.

I recommend to start slowly because studying CCIE sometime can be really frustrating. Especially when you stuck with one thing and don't know where to find the answer. That's why I against the idea to jump directly to complex lab scenarios. Single step at a time.

Once you get used with the lab flow, try to increase your speed.
Practice, practice, practice.
You need to be fast in the real lab. And there is no other way other than practice.
Keep repeating the same thing until your fingers, not only your brain, memorize how to configure any security technology listed in blueprint.

I use only the best workbooks to practice: Trinet and Bhaiji's book.
I found out if you can complete 1 Trinet superlabs with less than 3 hours time, than your speed should be fine for real lab.

Obviously when you practice with any workbooks, you must understand why and when you should configure with certain way.

7. Join the community

You can't win this battle by fighting alone. Join the community to meet other CCIE candidates and study together. I found SecurityIE forum is really helpful. There are a lot of security experts in that forum and the discussion is really depth. The forum archive is priceless.

Trinet forum was active when it was started. I was involved from beginning so I enjoyed my time discussing directly with Khawar Butt, the founder. I can see now there is very less response from Khawar anymore in that forum. But I believe you still can discuss with other CCIE candidates. And try to dig the archive to see whether things you are looking for have been discussed in the past.

If possible, try to create small discussion group. I met some wonderful people from those forum and we decided to study together. It's always good to have somebody else to verify your weak points.

During my journey, I was really happy just to know that there are several people out there that I can discuss with every time I stuck in my lab at 3 am in the morning.

8. Learn how to ask

Make sure you know how to ask questions, to the study forum and during the real lab. Before you send something to the forum, please make sure to check the archive. Try to test it by yourself in your lab, and when you get stuck, copy the related configuration with show and debug output and send it to forum.
With this way, we can build a healthy discussion and most probably you will get positive answers.

This attitude is important when sitting in the real lab too. During my 2nd attempt, my proctor mentioned something like: “if you have any questions you can ask me, but most probably I will not answer”
So you need to know how to ask question to your proctor. Otherwise he will throw his pity look to you and say: I'm sorry I can't answer that.

I believe if you know all the technology listed in the blueprint, and you already have this attitude, you should be able to ask smart question to the lab proctor. They are there to clarify the lab questions, and that's the only thing you should try to get from them: clarification.
By asking the right question for sure.

9. Understand the Lab questions

Speed is critical, but you need to know how to answer too. So when you think you already have the speed, you need to dig each topic in more detail. There is no other way other than try any possible scenarios and read more to understand all technology in-depth. Check all the options from each IOS command, test it, run the debug, compare the result, then move to different technology and do the same thing.

During the real exam, don't overlook and make assumption. Read the question carefully. And if you don't understand something, you can ask clarification from the proctor.

Yusuf mentioned in his book that most candidates fail not because they don't understand the technology, but because lack of understanding the question. Make sure you read his book several times to make sure you understand what he expects from the answer.

10. Trust no one, trust no solution

You should not trust any of your resources until you prove it by yourself.
This is the only attitude that can make you pass.
I found a lot of mistakes in Cisco sample configuration and workbook solution. Even Bhaiji's book contains several errors. Study forum is good because people try to test something together. But are you sure the solution posted really works?
Why you have to bet, just try it by yourself in your lab.

Every time you see some scenarios and the answers, always ask the questions: What if? Why not using this? How if I modify that?

I like Trinet because the workbook provides general idea of the real lab and makes me really fast. But I don't just believe their solution. I always tried to answer their scenarios with my own way, and then modified the scenarios, put more requirements and restrictions.
I often ended up with my own scenarios, which are much more difficult from the original.

11. It's all in your mind

CCIE is completely a mind game. I failed 4 years ago in my 1st CCIE R&S attempt in Brussels because no one told me at that time how difficult CCIE lab was. Everyone I know always told me that the CCIE lab is so difficult that only few selected people who can pass it. And I'm certainly not one of them.

I went to my 1st attempt with this feeling, that I was not ready and CCIE questions would always be one step ahead me. It was 2 days exam and I was able to reach troubleshooting section on 2nd day. But I failed with 5 mark away from the passing grade. I felt terrible but I realized one thing: CCIE lab is achievable. If you have spent a lot of time to prepare, then it's even possible to pass on your 1st attempt.

For my 2nd attempt in Tokyo 1 month later, I woke up in the morning and told myself in front of the mirror that I would become CCIE that day.
CCIE lab is an exam and the proctors are "only human". I kept telling myself: there is no spoon.
I was able to keep my sense of humor even in Japan I had to use Japanese version of Windows and keyboard.
One and half hour before the troubleshooting section over, I have already walked out Cisco office with my CCIE number.

Indeed I failed in my 1st Security lab attempt last December. But I failed at that time because I was so confident and overlook several things. I was really sure that I would pass that day and made me forget one basic rule in CCIE lab: this is Cisco exam. They make the lab and they expect me to answer as per their solution.

12. The journey must be fun

In the end, CCIE lab is only an exam. Even it's Goddamn hard to pass but this journey must be fun. Turn all the pressure as a power.
Use any supports around you: your family, friends, working environment.
Manage your time so even you will not have social life at all but at least you should enjoy it.

And If you fail, do the classic: learn from your mistakes.
Try to know exactly what your mistake is and address it once you go back home.
Never think to stop in the middle, no matter how many times you fail.

I always believe that there are 2 kinds of CCIE candidates out there: one who always makes excuses why they should not do it again and quit, and one who just jumps back into their lab and start debugging their mistake.
The second one will pass eventually and join the elite club of experts. The first one will join the club of losers.

Which one do you want to end up? The choice is yours.