My CCIE Security (thread)

I was debating starting this thread for some time. I am not a blogger but I realized I need a reminder.. so here it is.

A bit about my background. I started getting involved with network security around 2007-2008 when I was working as network engineer. Over the years, I drifted more and more into the security realm. It became my main focus two years ago.

Originally, I started studying for CCIE R&S but as my focus shifted so has my studies to CCIE Security. Overall, I am studying for CCIE(s) on and off for a couple of years now. Mostly reading books and watching training videos. I would have continued that trend for years if it wasn't for my team lead at the previous job, who is also CCIE, and my wife. They pushed me to actually take the next step. Albeit, my wife pressured more; she wants me to finally cross the 200K mark.

I passed written two weeks ago and now waiting on the schedule to show up for December. I plan to make my first attempt in mid December and second end of January.

As for study plan, I will probably read one more book about ISE (Cisco ISE for BYOD), catch up on GETVPN, take Narbik Zero to Hero on 27 Aug and spend the rest of the time practicing configs.

For my home lab, I don't have much. I have 1x3560, 2x2950 and 1x1602i AP. Four lab topics can be practiced in GNS3 and using these three switches. For the other two, I bought a server on ebay which comes in today. The server is DL360 G6, dual quad core xeon 2.26GHz, 72GB RAM, 4 NICS, P410 Raid controller and it costed me $91 (+ $50 s&h). Plus 2x300GB SAS 10K RPM disks for $50. I will install esx and then spinup vms ISE, ACS, WSA, WLC, AD and another host for GNS3; will do a breakout from GNS3 to 3560.

Find more posts tagged with

Comments

One of us! One of us! :P

Best of luck with your studies

Joking aside, I would recommend ditching the ISE for BYOD book. It's probably the oldest ISE book out there. The two critical ones are as follows:
- Practical Deployment of Cisco ISE (just released late last year and written for 1.4)
- SISAS OCG - Older book but not as old as BYOD and still largely relevant. It was written for 1.2 but goes into it in more detail than the BYOD book

Since ISE 2.1 has some new features and enhancements, anything not covered there, you could use something like this: https://communities.cisco.com/docs/DOC-64012

PM me if you want some good materials on the upcoming Security track

Good luck!

I assume you are aware the lab is changing soon, right?

Awesome! I'll be following your journey!

Thanks guys.

Iris, thanks for the recommendation.

I am aware that lab is changing. I would like to try v4 because I have experience working with that technology and was studying for it long before the change was announced. Thus the date for the first attempt in early December so I could wait 30 days and schedule another attempt in January if needed.

I just purchased Zero to hero from Micronics which starts on 27 Aug.

1. My server came in on Monday but still isn't setup because of a keyboard... It doesn't recognize USB keyboards during the boot so I can't set iLO and configure BIOS and RAID settings. USB to PS/2 converter doesn't give enough juice to my Razer keyboard and I am too cheap to spend $20 on a keyboard I will use exactly for two minutes. My friend owns a computer shop in the city; I'll borrow one from him today.

So this week I spent my time labbing in GNS3. I concentrated on GETVPN with and without multiple VRF's, IKEv1 and IKEv2 site-to-site IPsec VPN and a little bit of DMVPN (phase 2). I did some troubleshooting, looking at errors and debug messages. Next week, I will continue with VPNs but with more DMVPN (phase 2 and 3) and will add EZVPN and RA VPN.

No studying this weekend. Tomorrow is Spartan Super race in PA and taking my kids to a lake on Sunday.

2. I scheduled lab on the 12th December at RTP.

Kreken wrote: »

Thanks guys.

Iris, thanks for the recommendation.

I am aware that lab is changing. I would like to try v4 because I have experience working with that technology and was studying for it long before the change was announced. Thus the date for the first attempt in early December so I could wait 30 days and schedule another attempt in January if needed.

Yes, I figured this would be your approach. I was tempted to do the v4. If I were to remain at the NOC then I would have gone balls-to-the-wall to finish v4 by end of the year because we use a lot of the technology here.

As it stands now, I can take a step back and look at v5 at my leisure as opposed to going all out.

That and most likely I will be changing jobs again in the beginning of next year.

Still labbing VPN's and configuring firewalls. I think it was in one of INE's videos the instructor said that VPN's and ASA are the core topics of the lab. I am trying to get them down first before moving on.

The most likely turned into a definite yes and I will be moving into hands-off consultant architect position in January.

After doing almost exclusively VPNs, I got burned out and had to take a week off. Lesson learned - don't concentrate on one topic only.

At my work, in VMplayer I setup WLC, ISE and WSA. WSA is still missing license. ISE 1.1 .iso already comes with the trial 90 days license. I have a small switch and ASA on my desk so I can practice a lot of different scenarios.

Last week I contacted Cisco licensing and got 45 day license for WSA; going through Cisco site didn't work for me. At this point, I have almost a complete virtual lab at work.
Since my last post, I have spent most of my time in IPS, WSA and WLC.
Ten more days before Narbik's class starts.

I started reading Optimal Routing Design for work. If anybody can suggest a good design book that doesn't induce apathy and drowsiness after three pages, I would appreciate it.

Edit: Added a virtual version of Cisco IPS 4200 to GNS3 today. So now I can access it with IME from my desktop.

I practiced WSA and system hardening/thread mitigation topics.
ISE will be my main focus for the next couple of weeks.
Narbik's workbooks suppose to come in by the end of the week with the lab access given on Saturday. Hopefully, I will find enough time and will to do the workbooks and my own lab scenarios.

The first class was on Saturday. It was mostly a review but I did learn couple of new things. The explanation of the packet processing by ASA was excellent. Sadly, PODs should be ready only on Wednesday. In the meantime, I am re-watching the recorded class session, reading through the workbooks and doing my own labs.

Nice, you're actually in that class with a bunch of folks I know. Say hi to Steve, Earl, Carlton, Matt D, Daniel, and Jay for me. My recommendation is to give the video 1-2 hours a day so you don't overwhelm yourself. I got more out of the re-watch than the live class due to my ADHD nature.

I think mbarrett is there too. Is Daniel you have included the same as aftereffector?

While looking up some switch commands to configure 802.1x for ISE, I landed on your blog. Great stuff. I have a question for you (ISE is my weakest topic since I haven't worked with it). What is the reason for the selection of those particular vsa's in this article Switch Configuration for ISE dot1x ? Would I chose the same for ip phone or pc?

Yep. They are there. We actually have a Slack channel where we all bat stuff back and forth about the class and lab it up. I shared my ~500 pages or so of notes with them from the first class. They can tell you how OCD I am about notes. *twitch twitch*

As far as the switch configuration, you don't need to use EVERY command I put in there since in larger environments, they're redundant and can make it pretty chatty for profiling. The ones I included will give you a couple different items which help in identifying the type of device that is connecting. It's a global setting on the switch so you wouldn't turn it on/off per port. Even if you're going to use nothing but dot1 supplicant capable devices on your network, you would still have SOME profiling to track the device as it connects and get ISE the MAC and IP address of the device. But in almost all cases, not every device in your network is going to have a supplicant. You're going to have "dumb" devices connected such as phones, APs, CCTV cameras, printers, etc and that's where good profiling comes in handy and helps you with the fidelity of the profiling. It should also be paired with a restrictive authorization profiling to prevent any potential security issues

Daniel here!

Yeah, I'm in the Z2H. Not bad so far, I'm glad we are easing into the tough parts.
I'm going to try to take the v4 written before they stop offering it, if I can. Might be too much at once, though.
Good luck with your studies.

I spent the past couple of days trying to figure out the AAA config. The information below is based on Iris's blog, Cisco docs and videos. This is the bare minimum what needs to be configured on a switch to make it work with ISE. Comments/corrections are welcome.

MAB
To enable MAB on a switch you need to do the following:
1. enable aaa
aaa new-model

2. configure ISE server
aaa group server radius ISE
server-private 192.168.1.1 key cisco
ip radius source-interface vlan 1

3. global authentication server
aaa authentication dot1x default group ISE

4. enable mab and authentication under interface
int fa0/1
mab
dot1x pae authenticator
authentication port-control auto

MAB+EAP
1. enable dot1x
dot1x system auth-control

2. enable mab and eap under interface
int fa0/1
mab eap

Phone + PC config
VLANS: While data vlan can be assigned by ISE, voice vlan has to be configured on the interface. The initial ip phone communication with ISE happens over data vlan and after authorization is moved to voice vlan. Assigned data vlan must be configured on a switch.

To allow phone and pc on one port you need to enable ACL and VLAN assignment from ISE, enable multiple MAC addresses on a port and configure authentication order.

A. To enable ACL and VLAN assignment from ISE:
1. configure authorization
aaa authorization network default group ISE

2. enable device tracking
ip device tracking

3. enable vsa
radius-server vsa send authentication

B. To enable multiple MACs:
int fa0/1
authentication host-mode multi-domain

Note on multiple MACs configuration:
authentication host-mode multi-domain - allows one MAC in data and one MAC in voice vlans
authentication host-mode multi-auth - allows one MAC in voice and many MACs in data
authentication host-mode multi-host - authenticates only the first MAC, subsequent MACs are allowed without authentication (wifi controller)

C. Configure authentication order (mab for phone, dot1x for pc)
int fa0/1
authentication order mab dot1x

Optional - change violation action
int fa0/1
authentication violation restrict (default is shutdown)

Profiling
Radius communication is always initiated from a client to a server. For profiling to work, ISE needs to be able to initiate the communication. COA is used to change that.

To configure COA:
aaa server radius dynamic-authorization
client 192.168.1.1 server-key cisco

So the class was cancelled for this Saturday. Still no lab access. Neither Piotr or Janet respond to the emails I sent. This doesn't make me a happy camper.

Piotr is working during the week. I think Janet sent an email out stating that there were electrical issues and you'll be getting lab access next week. It took about 2 weeks before we got lab access for our class too. What happened is that they gave us a month of extra pod access. Since you only did some basic ASA stuff last week, you're not really behind in the labbing part.

I got a reply from Janet today. She said they are upgrading the equipment and they will extend the labs access. Problem is my lab date is on 12th Dec.

I'm also in the Z2H class, this is Cliff. I plan to take the v5 written next year.

Since our class was rescheduled, I've been labbing all weekend and doing related work projects. I've got a VPN RA deployment and guest wireless project all using ISE to secure the endpoints (4 x ASA 5585's in active/standby pairs or maybe clustering depending on what we learn in the class).
Just got the ASA's and ISE configured with multificator authentication for Cisco Anyconnect as part of the RA deployment. Meeting with engineering team tomorrow to go over design for ISE pushing dACL's to the AC endpoints.

A comment on the ISE switch config. This is optional and not needed for the minimal config you are labbing. I ran into a production issue when a switch stack lost connectivity to the ISE nodes due to a routing issue and the voice vlan stopped working. Traced it to a missing command on the interfaces:

authentication event server dead action authorize voice

After entering this command on the appropriate port ranges and bouncing the ports the voice vlan was restored.

The following command was in place:

authentication event server dead action reinitialize vlan xxx

This enabled workstations to continue functioning on the data vlan xxx, but without the voice authorization command the IP phones stayed in the data vlan.

This is nicely documented in Iris's blog under Radius session timeout in her 802.1x switch config article.

Not sure how relevant this is to the lab exam, but something to keep in mind with respect to designing out a production network and proper placement of ISE nodes (we have 6 in our production environment). I looked ahead into the Vol3 workbook but couldn't find anything related (just MAB'ing and profiling IP phones). I'd like to test this scenario once Piotr has our pods up tho. I was looking at the class topology, and I can shutdown vlan 203 to simulate this issue.

Good luck on your lab prep for December. BTW, what did books did you end up using for the v4.1 written? I saw an earlier post when you were figuring out which books to use.

Thank you for the comments on ISE.

I took written v4.0. I read Cisco Firewalls; partially IPsec VPN Design, Network security principles and practices (partially due to the book's age). RFC's listed here: Study/Learn Resources - Cisco A lot of white papers on securing protocols and security design.

I failed my first attempt by 30 points. Most of the questions I answered wrong were about IPv6 security and TrustSec. Plus, I made some very careless mistakes. Re-booked the exam for a date three weeks later(mandatory wait time), studied my weak areas and passed the second time.

Edit: Forgot to mention VPNs. I used VPN configuration guides and labbed them in GNS3. It seemed like the only way for me to understand DMVPN phase 2 and 3 was to see how it works.

Thank you, that really helps for scoping out the required reading and planning a study schedule for the core technologies. For v5 I'll supplement/replace with the new tech topics (eg, FP instead of legacy IPS).

For ISE, I'm reading the 802.1x IEEE spec to become more familiar with the standard. I read through the SISAS book and will be picking up Practical Deployment of Cisco ISE mentioned previously on this thread.

In a prior thread you had mentioned drawing ASA's and routers in GNS3, typing the configs in notepad, then pasting configs into GNS3 and troubleshooting. I have two 5516's with FP services to play with, but I like the GNS3 approach better for conditioning and building speed for the lab.

Anytime. Another thing I forgot to suggest is to read the release notes for the major releases.

If you are going for v5 lab, you will have to use ASAv in GNS3. Since it runs as qemu, I would suggest to install a loopback on your NIC, connect it to a cloud in GNS3 and connect ASAv to a cloud (like in this guide: ASA 8.4 with ASDM on GNS3 - Step by Step Guide - XeruNetworks). That way you can use Putty on your desktop to configure ASA otherwise it would be a pain in the back (you can't scroll, copy&paste and etc). ASAv doesn't support multiple contexts so you would need either a physical device or use 8.2 or .4 ASA image in GNS3.

This week I finished going over the last of the material that I think I will need for the lab. From this point, besides the class on Saturdays, it will only be labbing. My schedule is Monday through Friday I spend on average 3.5-4 hours daily, 8 hours class on Saturday and I take a break on Sunday.

I got ASA 8.4 working under GNS3. I struggled with formatting disk0 and saving configs but I've finally got it working. I'm working with my local Cisco Sales Engineer to get ASAv and the other evaluation downloads from Cisco.

Are you using the Z2H lab workbook set or are you using something like the INE CCIE Security Practice Lab workbook to prep and simulate the lab tshoot/diag/config exam experience? I understand Piotr won't be covering legacy IPS in the class. With no legacy IPS in our pods, I imagine you've built the IPS lab related topologies in your home lab. I've been reading the legacy IPS config tasks in the Z2H Vol 2 workbook.

I'm reconsidering taking the v4 written and lab before they're gone. At my new job, I work with legacy IPS, old Cisco VPN concentrators, and an older version of ISE. I'm not sure how the v5 tech will fit into my production network as of yet.

Will it be possible to do v4 lab exam retakes after January 2017? I recall your lab is scheduled in December. I'm still tossing this around as I may end up not having enough time.

Quick Links