Going for the CCIE Security

Iristheangel

Right. In any deployment, you can have only 2 Admin nodes and 2 MnT nodes - and they're active/standby.

You can still have 40 Policy service nodes and they're active all the time. They're truly the ones doing all the work. In your case, you have them down to 2 nodes - so the MnT/Admin functions are only active on one node at a time (the other standby node is sychronizing data with the active) and the Policy Services Node functions are active-active on both.

So even tho one is "active" in terms of pxGrid, you can still point your network devices to both since they're both functioning as active PSNs as well.

Iristheangel

Let me explain it a little better - ISE can have only three different types of "personas:"

Policy Administration Node (PAN):
- This is where you write all your policies and manage the deployment and it'll push the policy down to the PSNs
- There can only be 2 of these in a deployment in an active/standby fashion. Why? Because beyond administrative tasks, they're not actually taking the requests from your network access devices so you don't need a ton of these deployed at every site
- If there are two PANs, they're replicating their data between each other

Monitoring Node (MnT):
- This is where you logs, historical data, reports, etc go to live
- Only 2 of these in a deployment and they are deployed in an active/standby fashion
- The active-standby replicates data between each other

Policy Services Node (PSN):
- These are the true workhorses of the deployment and there can be 40+ of these in any given deployment
- These are where your network access devices send their actual requests
- When you create a policy, the PAN will push it down to these guys and the PSNs won't have much more need for the PAN except for things like guest creation and certain services. For other services like dot1x, both your PANs could die and as long as your PSNs were still up, you could not notice any issue.
- The PSNs don't replicate in the way you think. Older versions used to share attributes but that's been trimmed down a great deal. Most of the information from the PSNs is sent to the PAN and MnT
- They are always active. Making your NADs go to these is as simple as adding another RADIUS server in the config. If you have a really large deployment, my recommendation is to have a local VM PSN at bigger sites and have the NADs fail over to another PSN in a central site (i.e. data center). I've even seen 2 for failover (DC and DR). It all depends on your deployment and what you want to do....


Now that I've gotten that out of the way, these different personas can live on the same box or separate as a distributed deployment. It doesn't change the functions or whether their active/standby. So let me give you a few scenarios to draw this out (YaY Surface 4 Pro!):

Lets say you have 3 ISE nodes sitting in each data center. This is similar to what the traffic will look like:


The Active-Standby MnT and Admin nodes will replicate between each other and the PSNs will take all the requests and your NADs in your environment can send the requests to either of them - they're both active and sharing reporting information to the MnT which is replicated to the secondary. Awesome, right?

Now in your deployment, you have three personas on the same appliance. Do you want to know what that changes? Nothing. This is literally how it looks:



So the different "personas" in the same appliance carry on their duties and do the same thing they would be doing if they were on separate appliances. So in terms of pxGrid, your pxGrid clients will be talking to the PAN and MnT nodes. Those don't need to be active-active because they're not the true "workhorses" of the ISE deployment and they're replicating data between them to keep synced if one were to die suddenly. If one were to die and it failed over and then host 1 comes back up, host 1 can take RADIUS requests IMMEDIATELY regardless of whether you fail anything over. It'll just be syncing up with the active MnT node over the WAN which isn't huge huge amounts of traffic or all your RADIUS requests going that direction. Your local PSN can still do the work.

If you had active-active Admins, you'd have two points where people might be trying to configure and you'd be doing 2-way syncing of traffic. Same with the MnT nodes - if two were active and PSNs were reporting to separate ones, you'd have more traffic trying to sync the difference between the two.

Does that make sense?

sucanushie

I understand when it comes do the PAN and MNT. They work how I wish PxGrid would work.

If the PAN goes down the secondary get's promoted to the primary. When the primary PAN comes back up it takes back the primary role.

This does not happen when it comes to pxGrid.

If node 1 is currently running the pxGrid service and it goes down. Node 2 will take over and run the pxGrid service. That's great and want we want. But when node 1 comes back online it doesn't take back over running pxGrid services. They will continue to run on node 2. They only way I can see to fail them back to node 1 is when node 2 goes down.

Iristheangel

This week's update is a non-update. Didn't get much done this week. My 16 year old cat got sick and I had to put he down this week Wasn't really feeling in the mood to study during all that.

Iristheangel

Meh... mini-update. Finally got some stuff up and running today. I need to find a place where my gear can live of it's going to get pretty expensive with electricity. Spent the day building the virtual/physical lab:


There's some things I can virtualize (ISE, ACS, Firepower, AD, etc) and some things not as easy like the switch itself. I have a spare 2504 from years ago that I'm thinking I'll use for the wireless portion given that if they decide to throw TrustSec on the exam, vWLCs don't support SXP so I have to go physical if I want to lab it out.

This week I'm going in with the goal of getting the AMP reading/labbing done. Hopefully I'll get through a lot and no other catastrophes or otherwise horribly sad things happen

sucanushie

Look forward to your updates. Going to finish NP Security this year then tackle CCIE.

Thankfully we have most of the technologies and I work on them every day.

P.S ISE 2.1 UI looks fancy! Even a new login screen, and the Work Center menu has 10X as many things

Iristheangel

Ok, kicked some butt last week. Got through all the SSFAMP coursework. This week I plan on going through the following book: https://www.amazon.com/Practical-Deployment-Identity-Services-Engine/dp/0128044578/ref=sr_1_1?ie=UTF8&qid=1465828065&sr=8-1&keywords=Cisco+ISE

I also have a meetup this week on Firepower and rebuilding my lab at home. Pretty good stuff. Keeping busy

broli720

Do you think the Zero-to-Hero course was helpful in preparation for your IE attempt?

Iristheangel

Yes it was. At least for CCIE Security v5.... Which might become very relevant

broli720

Good to hear. I'd say I'm really comfortable with the CCNA material right now. I'm just hoping I won't get lost during that course. Are you making any notes like you did for data center? Would be really nice to see a second set in addition to what I get from that course.

Iristheangel

Something has changed....

Iristheangel

Well, at least I know what to study now. I knew this was coming from internal rumblings but I had to bite my tongue since I didn't have details.

Anyways, Jan 31st is the official date they swing over the lab but that's a pretty soft date. They have to typically get the new labs ready so there's going to be an amount of time where they spend staging it where I won't be able to book a lab date.

The only crappy thing? Ugh... The new written is only available available when the new lab is. I'm not going to wait 7 months to take the written so somewhere along the lines, i need to cram the old crap in my head at least enough to pass the written.. Ugh. I guess I'll find that old CCIE Security v4 book and read a chapter a day...

Nafe92014

Reading your threads Iris makes me wonder how you can balance work, labbing/studying, sleep, and family time on a daily basis. Very impressive and inspiring though.

Simrid

The higher level security track interests me so much. I've just started my CCNA security, although pretty dull i'm looking forward to doing the NP and above topics.

Reading through this/doing my own research the ISE looks awesome, a whole new world I am yet to be exposed to.

Keep the CCIE grind going

Iristheangel

Nafe92014 wrote: »

Reading your threads Iris makes me wonder how you can balance work, labbing/studying, sleep, and family time on a daily basis. Very impressive and inspiring though.

One of those things doesn't happen as often and that's sleep :P

Iristheangel

Last week I was in StealthWatch training most of the week and was doing some AMP for Endpoints laabing so I didn't really get to start on the ISE book until Friday. I ended up busting my tail this weekend and am happy to report that I'm on Chapter 9 of 18 since Friday so I should get done with the book at some point this week. I'll probably try to get through that book and then get through the SISAS book. I know both are a little outdated since ISE 2.1 but 90-95% of the books should be valid. A lot of the core hasn't changed.

Simrid

Interesting, I see you're going straight for CCIE: Security and bypassing the NA and NP exams. Out of interest, what is the justification for this? I can see that you did each step for Data Center (I think).

I am currently studying for CCNA: Security and i'm not sure if I should go for CCIE: Security or work through the NP exams.

Iristheangel

I was starting from scratch with data center so it benefited me to learn incrementally. I already have a CCNA Security and besides some info I might learn on the VPN side, I don't see a lot of benefit studying for the CCNP Security - the IPS test is old, I'm already strong in ISE, and I'm pretty good with ESA, WSA, etc. It's easier for me to go right for the updated CCIE Security v5 and ignore the rest so I don't have to learn outdated info or waste time on it I also work with a lot of this stuff in my day-to-day work, been doing a ton of hands-on for over a year and attended a 4-month long bootcamp for CCIE Security so it just seems counterproductive to shoot for lower than the CCIE Security at this point

Simrid

Oh wow, I guess that makes sense, seems like you're certainly well on your way. I only really touch ASA's at work, so I reckon CCNP would still be the way to go for me. Do you know when they plan on refreshing the IPS test?

Iristheangel

Well, I'm through the ISE book and this week I should be getting the following book in the mail: Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP

I've got two weeks of work travel ahead of me (Cisco Live + a week of training in Atlanta). Hopefully I can get this book done in the time that I'm away since it's definitely an awesome book for the new v5 track

Iristheangel

Burning through the Next-Gen book. Sadly, it's not all I hope it would be. Just more of an overview. Been reading it a couple days and already mostly through the book. I'll finish the book all the same but it's definitely not for someone who's already past the SSFIPS and SSFAMP for AMP and Firepower.

Iristheangel

I've neglected this thread but not my CCIE Security studies. I'm still pounding out books. I got a Sony Digital Paper for my birthday and that was actually a great investment. It's been helping with reading the Safari Books subscription I have. SDP only allows for PDF format though so I've had to go the roundabout way of printing my chapters to PDF and then transferring them onto the SDP but it works fine.

On a fun note, I met Marty Roesch (Creator of Sourcefire) this week and turned into a fan girl:


I also found my ISE throne :P

Iristheangel

Did a meetup the other day on ISE and figured I'd post it on here:
https://www.youtube.com/watch?v=gJaH6AA-BUM

It's the first of a 4-part ISE series I'm doing on ISE 2.1 and geared towards the CCIE Security. It was done live on a Webex with a bunch of folks so don't expect polish or editing but I had a lot of fun with it.

CertifiedMonkey

I know you said not to expect a polished video, but The audio is horrendously choppy. Is the original video like that? Also, is it just one person talking/leading in your meet ups or do you have group discussions? I'm just watching the video to see how meet ups are conducted at higher levels of study. We do open discussions down here in the lowly CCENT level of study.

Iristheangel

Nope. Original video isn't like that. Damn Youtube messed it up. Oh well, I'll reupload and repost the link.

As far as questions, I answer questions as they are posed to me in the chat. When you have 30-130 people on the Webex with you, unmuting audio and letting everyone go is not a great idea. This is more supposed to be instructional and educational, not a town hall.

Iristheangel

There you go: https://www.dropbox.com/s/loo3wk6vd9j1e1l/ISE%20Part%201%20-20160906%200135-1.mp4?dl=0

That should be better.

Simrid

Great video, very informative. Is there any more webinars you have done and have links for at all?

CE1028

Iristheangel wrote: »

Did a meetup the other day on ISE and figured I'd post it on here:
https://www.youtube.com/watch?v=gJaH6AA-BUM

It's the first of a 4-part ISE series I'm doing on ISE 2.1 and geared towards the CCIE Security. It was done live on a Webex with a bunch of folks so don't expect polish or editing but I had a lot of fun with it.

where do I find parts 2 - 4??

Iristheangel

@CE1028 - I have slacked on making them (as well as updating my blog). I've been hyperfocused on studying so haven't been able to do any other the additional things.

Update for this thread:

Read the following books:
Next-Generation Security Solutions - Was a bit light on the technical side and I don't think I would recommend this for CCIE Security reading tbh unless you need a good overview of the Cisco security solutions
Email Security Book - God this was dry but it had a lot of good and relevant detail. This was probably the hardest book I struggled with just because there was a lot and email security doesn't personally thrill me
PKI Uncovered - I personally had a good grasp of PKI before this book so I didn't get a whole lot out of it but I think for most people starting out on the CCIE Security track and who don't have as good of a grasp, it's a great book.
Practical Deployment of Cisco ISE - Great book for "just the meat and potatoes" of ISE
SSFAMP - I went through the lab guides and class guides for this two day class. Taught me a lot about deploying the private AMP cloud which I think will be very relevant for the CCIE Security
SSFIPS - This was a good book. Definitely a lot different though since there's some changes from Firepower 5.4 to 6.x. I think that 80% of the book definitely is still relevant and the remaining part you can pick up on as you're going through the GUI
AAA Book - This was useful to someone like myself that didn't have a lot of prior ACS experience. The book is only 300-something pages but in reality, it's probably half that because the book flips back and forth between how to do something on ACS 4.x (not relevant for the lab) and ACS 5.1. I just ignored the ACS 4.x bits and focused on later versions of ACS
WLAN Fundamentals book - There's only a couple chapters of this book really relevant to the CCIE Security and those are the chapters focused on wireless security. Even then though, anyone with some experience deploying ISE or dot1x probably could skip this book
ISE 2.1 Techtorial - I went through this techtorial and made some notes for anyone interested: https://docs.google.com/document/d/1b2FktlAq9Ysf7iEQ8pgoaH26mtB6O9NmRBGHjVNiLFE/edit?usp=sharing

Right now I'm working my way through the IKEv2 book. I might do some VIRL labbing on it as I go to reinforce the materials a bit. I really like reading a lot more than to focus on a lot of videos. Here are my plans so far:
- Get through the whole books or relevant chapters for ASA 5500-X Series Next-Generation Firewalls, SISAS OCG, Complete VPN Configuration Guide, IPv6 Fundamentals, IPv6 Security, LAN Security, Router Security and IPSec VPN Design. I have a lot more reading between now and the end of the year
- Start labbing heavily by the first of the year and probably re-watch the Z2H videos for VPN and ESA on the weekends. I don't see myself needing to re-watch the whole series or anything

Some of the things I know I need to lab up specifically or just get better acquainted with:
- IPv6 and IPv6 security
- IOS VPN and clientless SSL VPN
- Anyconnect with ISE - I haven't played with this as much as I should have
- Probably do a good dry run of the private AMP cloud setup. Using AMP definitely isn't new to me but I haven't set up Private AMP from scratch. It doesn't look too daunting but it's something I should run through a couple times.


So that's my update for the CCIE Security track!

CE1028

Looks like you've been keeping busy!!!

I just tried to register for the Z2H class in January, but looks like it's all sold out. Maybe next time!

I thought the Z2H videos were only available for 30 days after the class ends?