CCIE Sec Lab Diary - or how to make Ahriakin's brain implode

Ahriakin

Work reared it's ugly (yet cash-making) head again but I'm studying through Cisco Press' "CCIE Practical Studies : Security" at the moment, about halfway through. It's based on the 1.0 blueprint so you can't take it as gospel but it's got a very good review of the key Route/Switch (non-security) concepts you need for the Lab, actually a little too much I think since the older blueprint was more R&S focused anyway. I haven't gotten to the dedicated security appliance sections yet but just for this filtered R&S review it's well worth a read.

Ahriakin

Another few days closer to D-Day and not a whole lot to report. Had to work up my hours again to get the time to do today's and tomorrow's double lab sessions so I didn't get to study much. The more repetitive work I left IWEB's advanced technologies classes running in the background, I redid the Advanced AAA and IPS Sections though I couldn't concentrate on them enough to call it proper study I'm hoping at least something will sink in subliminally....yes I am getting that desperate .
So today was IWEB Security Workbook Vol II - Lab 6 (Difficulty 7/10) . This was a very good lab imho, influenced in part (okay a lot) by the fact I did much better on it than last week's 7/10. It was very VPN heavy and this time I was prepared for the tricky NAT mazes in the way and had no problems with any intervening devices/filters. There was one WebVPN section but being on the VPN3K it was pretty intuitive - I still dread seeing it on the PIX/ASA though, their WebVPN setup via CLI is a convoluted mess that definitely looks as if it was designed with the GUI in mind first and the CLI was an afterthought. Still I'll have to practice that on my own if the next few labs don't tackle it, if even just to get used to using the Docs quickly for it's configuration. I've gotten the hang of sourcing Crypto maps from internal interfaces (i.e. away from the physical interface(s) to which the maps are applied) and how this affects NAT etc. so that was one nasty hurdle from last week's lab that became a minor speedbump from the experience. The IPS Section was as usual pretty straightforward, no IOS IPS which kept it simple. This one definitely kept you on your toes as regards intervening filters, one point on the network had an opposing CBAC firewall and a Transparent ASA so forgetting that nice little potential black hole was a no-no with VPNs flying left right and center. That and the PIX with it's multitude of inside and outside NAT types were the real core of this one, the tasks themselves weren't too complex but making them work when traversing these devices was.
My Attack Mitigation has improve too, though it still needs work I'm getting a better feel for where certain commands should be even if I don't know their details offhand.

Speed has greatly improved too. Today's lab minus breaks took just under 8 hours...yes finally I did one in the official time allotted . 'Course that didn't leave me time to actually check it but I was doing that per section with the solution guide anyway (when the outright results weren't easy to check).

Overall I was very happy with today's. Which is odd as I expected things to be a lot tougher - my lab-induced insomnia is getting worse so I had about 3 hours sleep today before heading into this. Where would IT be without caffeine (and that rather nice Mocha Almond coffee creamer from International Delight, seriously it's brownie in a cup with a kick ). Anyway I know the sleep thing will hit me tomorrow so it's a good thing I finished early tonight.

Tomorrow will be Lab 8, another 7/10 - only one more of those left after it and then it's time to move up again. I've enough sessions booked now to finish the workbook and have one double left over for revision so my schedule is set for the next 3 weeks.....3 weeks....damnit wide awake again

pr3d4t0r

keep it up man

Ahriakin

Thanks, how are things going on your side? December isn't it?

Tonight was IWEB Lab 8, - 7/10 and it was a lot tougher than last night's. VPNs everywhere....E V E R Y W H E R E....coming over the hills, throught he trees *wide eyed crazed war vet look* . Seriously though besides in intensive VPN dedicated section (multiple LAN-LAN, L2TP Remote Access, Dynamic lan-lan, QOS for VPN) some of the other sections snuck them in aswell (like eventually having to use one to enable the AAA/IDM/Syslog server to access the IPS in order to bypass some previous NAT shenanigans). My network diagram now looks like a dali-esque painting of spaghetti. I'd say about 3/4 of it was okay but I was majorly stumped on the other 25%, just things I have never even tried like SNMP V3 user rights within the MIB tree and switch resource optimization - about half of that was either intuitive or could be easily found in the Docs but that last 1/8th or so would have just been a complete blackhole for me in the real thing. 12% down the drain before even checking what I had already done. Not good.
I really need to bone up on L2TP, it's not that hard but I've never configured it outside of a lab and there are a few little gotchas like remember it's control port on your ACL if you are required to remove Sysopt permissions and manually filter vpn traffic.
There were some issues with the initial configs aswell. One core router's interface's setup was completely FUBAR'd which messed up the routing table further down the line. One of the BB routers was supposed to peer via OSPF with the PIX but it wasn't setup for it (correct config on the PIX, the BB could be pinged and OSPF debugs showed hellos from the other neighbor but nothing from the BB). Also a couple of nasty errors in the actual tasklist (wrong VLAN numbers and IPs). None of which were earth shattering or hard to find and fix but it's a distraction I don't need, esp when I have to start second guessing myself for doubting the text and spend time researching why it might be right when in fact yes, as good old Occam's razor would prove, it was just a typo.

Anyway as usual after a 2 day Lab bender I need to go dip my head in a bucket of Ice. More study over the weekend....Next session is on Tuesday.

gojericho0

Just started reading this blog. Awesome work so far Ahriakin...keep it up!

pr3d4t0r

Yes December 5

I'm doing some IPS stuff, vlan pairing etc, some DMVPN/GRE tests, aaa troubleshooting and keep studying studying and studying.

You know how it is :P

GT-Rob

Sounds like it is coming along well Do you have some time off from work before your lab?

Ahriakin

Not too much of a problem as I work part time now. When we relocated away from the company Datacenter I was set to quit but they asked if I'd stay on part-time until they found a replacement, which suited me fine as it covered our bills while I had more time to study. 7 months later and they're talking about finally doing some interviews for my old job this month. So, unless there's an emergency my hours are very flexible so long as I do at least 20 hours (usually it's more, up until the bootcamp in sept. I was working close to 40 anyway but had to cut back getting closer to the Lab). For this stage of the trek it's working out pretty well, so I'll take the week off before the exam. I think management know that if it's a choice between work and the CCIE they lose, but to be fair my direct manager is a decent guy and doesn't push me on my schedule anyway unless it's important.

The last few days have been study between work hours. I finished off the CCIE Practical Studies book (very good imho except having to pretty much skip the PIX sections as they are all 6.3 centric). I've also been running the IPexpert Audio CD Bootcamp and DVD class in the background while I work, again it's not exactly intense study but ya never know what will sink in.
The next lab sessions is tonight. Since I'm normally on nights to match the wife's work schedule all of my sessions start at 5pm CST through to 4:30 am but I ended up waking up this morning at 8am and couldn't get back to sleep sssssooooooo it's going to be a LONG night with lots of coffee. But it can't be helped.

Ahriakin

I caved. 6 hours in and the lack of sleep has gotten to me. I went as far as section 6 and will do the last few sections on paper tomorrow...shoot me.
Up until now the lab was going really well, a good blend of Lan-Lan VPN, Remote Access VPN (Router as an EZVPN client) DMVPN some CBAC and mixed ACL types on the routers and a nice lump of NAT sitting in front of the ACS server. The VPNs I don't really have any trouble with (besides some syntax errors on the DMVPN but they were easy enough to spot during troubleshooting) and this time I flew through the NAT sections and for once didn't get lost trying to remember them when configuring other tasks that passed through it (yes it has finally clicked...or this one was easy...probably a bit of both). The AAA section had a few interesting tasks but some badly worded questions, unless they were deliberately 'trick' questions, for example one wanted to automaticaly authorize certain users on the PIX to priv. 15, easy enough by just setting it in their profile's Tacac section but it also dictated that they had to reach 15 with different enable passwords...er....okaayyy....I didn't see why it was necessary but still tried to find a way to force them to use dif. enable passwords, even though they were already at 15. I configured different enable passwords and levels but nope, couldn't force their use with an autocommand. The solution mentioned nothing about the enable password clause and just went with my first thought of using the priv-level assignment straight from Tacacs.
Anyway, still a few little mistakes along the way so I still need to work on being extremely detail oriented, 'close' won't cut it - if I give the impression here sometimes that I am 'passing' all of these it's not the case, I judge it to be a good lab if I rarely had to use the Docs or solutions and knew the concepts behind the majority of tasks, I am rushing them a bit and do make mistakes that would cost me points. Speedwise until the tiredness just became too much I flew through this one, though that could just be from getting used to the format, I'm getting more confident at zipping ahead and doing standalone sections while I wait for reboots etc. which definitely helps.

Tomorrow will be the first 8/10....

Ahriakin

Not much study today after all. We wiped our old Nagios server on monday and replaced it with OpsView (which I highly recommend btw, it's still Nagios based but vastly improves on it's weaknesses with an excellent wrapper and improved Web console). Anyway I'm busy rebuilding it's inventory. It can import your existing Nagios configs but only if they are configured in a manner similar to Opsview itself, e.g. I wasn't very organised in how I created groups when first setting Nagios up, it all worked fine but some group members were defined in the group definitions some from the host definitions etc. which wouldn't really work so I figured I'd just start from scratch now that I understand the pitfalls a bit better. So most of the last few days and the rest of tonight will be spent adding devices and services to it. Again I'm keeping CBTs running in the background though. Right now I'm going through the IWEB Advanced Technologies class again.
I've also started reading "Cisco Router Firewall Security" by Richard Deal for when I take a 'break' . Onward to my first brain aneurism!.... (em, Fate? That's not a request)

Ahriakin

AAAAAAAAAAAAAAAAAAAAAGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

Anger

The 2 ASA ETH0/0 cables not being physically connected (though support did fix that quickly) and a couple of nasty mistakes in the lab itself were annoying but it all got trumped by my Rack completely freezing 20 mins ago. I've cleared lines and ultimately power cycled the whole thing (knowing that I would lose a good bit of the VPN module in the process) and nothing. I just sent off a ticket to their support again but it's too late to try getting back into this.

This was Lab-3 and 8/10 and I was actually doing better than I expected on it, which pisses me off even more !...Okay will try to calm down a bit. This one had a fairly extensive initial setup, this section is usually a 15 pointer but on this lab was 21 as there was a lot of routing setup and authentication to be done. It was finished off with a notice that there were 2 deliberate errors in the setup and you had to find and correct them. 2 Were obvious from the Diagram, the VPN3K would block a crucial BGP peering so you had to create rules to allow it and assign them to the Public filter and then another right in the corner as the IPS was inline between 2 VLANs. The funny thing is the IPS was not number 2 according to the solutions, it was an OSPF authentication mismatch between the 2 routers either side of it. em...nah. Normally you'd pick this up easily enough by checking the route tables at key points, isolating where the blackhole is and running debugs on the routing protocols between them, which is what I did anyway which of course yields no results as there is no traffic going between the 2 routers to debug! So I was right, the IPS was the real 2nd phantom problem and the auth a distant 3rd. The IPS section was 4 modules away but I skipped ahead and finished configuring it anyway then went back and repaired the authentication on the 2 routers. Now you'd think that if this was the intent it was a good test, but it wasn't, the task specifically stated 2 errors and the solution list completely ignored the IPS. I'm guessing the IPS was put in there near the end of their planning for this one anyway it was still good troubleshooting practice and wouldn't have pissed me off if I hadn't earlier had to deal with the 2 ASA outside interfaces being physically disconnected and later found the setup to one of the BBs was hosed, it was dead to the world so I had to skip sections involving it (simple stuff like NTP that wasn't a big deal but it didn't help my mood).
The rest of the lab was tough but in a good way. No one area was overloaded so there was a good balance of Routing/Nat/VPNs and all that good filtering fun in between. The only major hickup was with a Certificate auth'd Lan-Lan VPN between the 2 ASAs through the VPN3K. Everything went fine until I hit the stipulation that you had to use the hostnames in the tunnel-groups, I hadn't done that before but configured each peer as a 'name'd host and used that name for the tunnel group....nope....it should have been the FQDN...which I guess was kinda obvious. I'll just have to chalk that one up to experience but it's easy enough to remember in future.
My DMVPN is nearly perfect now, I checked the Docs but mainly just for verification before applying the settings. Big improvement in understanding when to use NAT vs. routing to bridge some gaps, it was a major problem for me before.

I just checked and the rack is responsive again. 30 mins now, most of my VPN setup and my patience are gone so I'm not going back to it.
I have one session more than I need to complete the workbook before the lab so I'll probably just go back to this one in a week or so.

Studywise I'm working through Richard Deal's "Cisco Router Firewall Security", I love his books. Just the right amount of information and a great layout - there's always a detailed example at the end of each chapter so if it's a topic you understand and just want to refresh your config knowledge you just skip to the end. It's nice having that flexibility.

Ahriakin

I thought I should add after so much complaining last night that the rack vendor's support is very good. The few times I've had to use them they have been very prompt and always resolved the issue. It was just an unlucky night and I was already too tired to put in as much effort as I should have.
Tonight is more reading and I might start redoing the smaller technology labs from the IPexpert workbook. I also plan to create a BlackHole Filtering lab this weekend.

Ahriakin

Hopefully later I can compile a more comprehensive list of Web resources but I'll start today by updating the initial posts with links to useful sites/blogs/technotes etc. First up is IWEB's security Blog, some great little nuggets of info.

http://blog.internetworkexpert.com/category/ccie-security/

Ahriakin

I'm about 2/3 through "Cisco Router Firewall Security" and it's superb. Pretty much everything that I had no clue about on the router sections of the test-labs is in here. I originally had it on the shelf as an if-I-had-time read which is why I'm only getting to it now, but I'd rate it as an absolute essential, esp. if you have less of a background with Router security as I do. Another gold star for Mr. Deal.
I've been sitting on our balcony reading it since lunchtime, watched the sun go down and figured it was time for a break . So off to explore Far Cry 2's pretty (if a little boring) world and then back to try and finish this one tonight.

Turgon

Ahriakin wrote:

I'm about 2/3 through "Cisco Router Firewall Security" and it's superb. Pretty much everything that I had no clue about on the router sections of the test-labs is in here. I originally had it on the shelf as an if-I-had-time read which is why I'm only getting to it now, but I'd rate it as an absolute essential, esp. if you have less of a background with Router security as I do. Another gold star for Mr. Deal.
I've been sitting on our balcony reading it since lunchtime, watched the sun go down and figured it was time for a break . So off to explore Far Cry 2's pretty (if a little boring) world and then back to try and finish this one tonight.

There's some good Cisco Press stuff out there that does tend to sit on a shelf these days. A lot of folks put store in Vendor materials and put off reading these books. For my part I have found both Solie and Duggan's Cisco Press books very useful indeed. Sales of these books are down as the vendors market more and more materials. I have to say though that having used both Vendor material and these books they do fill in gaps and explain essential things sometime in a much better way. It's a shame more candidates put off this kind of reading these days because I think they are missing out on some great clarification opportunites even though both the Solie and Duggan books do cover some topics that are now off the lab blueprint. What remains is still very informative. I have worked examples from both books on my homerack and it's certainly helped my understanding.

Ahriakin

Aye, any reference is only as good to you as your ability to absorb the knowledge, so writing style and presentation are almost as much of a factor as the data. Obviously knowing the official Doc.s is essential for the lab, besides the less common topics they cover they're our only reference material to hand, but they are usually very dry and imho are not a good initial source of learning. I prefer a good 3rd party book first and then do a scan of the doc.s to fill in the blanks. I've read 2 or Richard's books now (the Router Firewall and VPN Guides) and both are on my desert-island list....what use you'd have for Cisco manuals on an island I don't know but mebbe it'll impress the natives.

Ahriakin

Finished the Router Firewall Security book and did a little from "Troubleshooting Virtual Private Networks" also again working my way through the IPExpert Audio CDs while getting some work hours in.
Today I'm restarting the IPExpert Workbook, mini-labs. I have 1-7 already setup for my Dynamips lab, and will do up no. 11 in a min. too. I've booked 2 sessions with them for tomorrow night 11am-6am and the same for Friday night to work on the others and fill some gaps. They range from 1-4 hours, most averaging 2-3hrs so they're good fillers.
I have Full (double) IWEB lab sessions on Wed, Thurs and Sunday and then I'm done. If I need more full lab time by then I don't need to be sitting this exam....brave words 9 days out

At this stage I'm comfortable with the VPN3K and IPS, they're done and dusted. My PIX/ASA has improved but there are a few little things I need to go over. VPN between any of the devices I have down pat, but will need the Docs for some like EZVPN on IOS, WebVPN and a little on DMVPN for verification, I've accepted this and won't focus on the syntax much more. My NAT knowledge is good for the main functions and getting better on some outside trickery for forcing proxy arp for non-standard addresses etc. but it still needs work. Attack mitigation is much better but I need to do a bit more on little things like fragmentation udner IOS and the logging side like intervals and the various options for timestamping etc. NAC, now there is an enigma. It's on the blueprint but it's barely touched in the Labs I have and I've been told that it is so time exhaustive that it just can't be realistically tested at the main event. In any case one of the IPexpert labs focuses on it heavily so I'll give it a go this week.
So confidence level just over a week out? Well I'm sleeping better but obviously I have no way to accurately gauge my readiness until I actually sit one so I'm trying not to make assumptions about it. All I know is the last few months have tremendously improved my knowledge which is great in itself, I just don't know if it will be enough.

Ahriakin

Okey dokelarooney neighbor. IPexpert Lab 11 was fairly straightforward. Essentially it was about configuring application services like NTP, DHCP etc. so not too hard at all. I did get caught on the core-**** config and the RCP copy commands though. I couldn't for the life of me remember the IOS start command and kept trying to find Crashinfo command references (PIX/ASA) instead. It's "exception" in case you're curious . One thing I find very annoying is not being able to find this information by navigating the new Cisco Docs layout but it is there if you google, the URLs don't even make enough sense for you to backtrack and find them manually that way for future reference. I mean I can find the doc. through a web search, look at it's title, know where it should be in the navigation tree and then find it's not there. Great.

I just finished redoing Lab 1 again too. This is a very good ACL primer. 5 Routers and a simple mix of RIP, EIGRP and OSPF on the different segments. It runs through normal, using Established, Lock and Key and Reflexive ACLs aswell as CBAC. Probably the single best lab I've seen so far in this workbook as far as topic coverage and quality/simplicity of design. I messed up the timeouts on the Lock And Key section but otherwise it worked. No use of the docs except correcting those timeouts which is a big improvement over the first time I did this one in Sept.

I'm going to take a break and then hopefully do another IPexpert mini lab.

Ahriakin

IPExpert Lab 2 redone. "Network Attacks and Advanced Filtering" . A decent enough little lab using Policy Based Routing, Mac and Vlan filters, TCP Intercept, NBAR Filtering and some miscellaneous attack mitigation. Not the best written lab in the book as a few of the tasks that should be under one point are out on their own, making the order of configuration a bit confusing. Also my Dynamips image is 12.4 and doesn't include TCP Intercept anymore, so I did the tasks using CBAC instead, the syntax is very similar once you remember to just use "ip tcp intercept xxxxx" instead of "ip inspect xxxxxx". Ditto for the PBR section where you would normally set the interface to Null0, this isn't supported on this image so I did it a little differently to the solution guide, basically borrowing a step from Remote Triggered Blackhole Routing, I set it's next hop to 192.0.2.0/24 under the Route-map and set a static route to that subnet via Null0. Just an extra step for the same result.
Enough for today methinks.

Ahriakin

IPexpert Lab 8 "VPN Concentrator" done. Another straightforward min-lab with one concentrator and 3 routers. It was my first time using ProctorLabs racks but it was pretty straightforward. Up until now I've been using multiple per-host Terminal sessions and organizing them with Wintabber but I made an effort tonight to just use one session (well 2 since they have them split here) to the Access server.
The lab itself involved simple routing and redistribution between the private and public LANs, and of course remembering the filters to allow it. Then Router to VPN3k Lan-Lan / EZVPN client mode and remote access via IPSec and Webvpn. I mainly did this one for completeness sake and to get in practice with IOS EZVPN more than anything, the Webvpn section was a plus but it's very intuitive on the Concentrator so not a big obstacle - I really need to practice it on the ASA.
I had to use the Docs for the EZVPN client side, as expected, but missed setting the Loopback as the inside source. Other than that it went well.

Ahriakin

IPexpert Lab 9 - "Switching"
Very informative title don't ya think? . While relatively simple security wise I actually appreciated this lab. It focused mainly on VLAN assignments / Trunking / VTP and VMPS as the basics and as stupid as it sounds I do need practice on those areas (I know enough to get around the devices and have picked up a lot more doing these labs but I rarely use any of this at work). After that was a Dot1x port control config (Where I stupidly spent 10 mins looking for the option to enable per-user attributes and it was staring me in the face) and I had to refer to the solution guide for the exact attributes to enable and configure on the ACS server for Vlan assignment(64,65,81...now repeat). last up was some dynamic routing between the 2 routers and 2 switches, a mix of MD5 auth'd EIGRP and BGP with redistribution. Simple enough stuff but I still got one of the loopback network numbers wrong. This one was okay, not too many mistakes but those I made were just stupid so there was no excuse.
I'm kinda tired but I have 3 hours of rack time left and I want to do all of the IPS labs (3, or rather one larger one with 2 addendums, rated at 6 hours combined) together on my next Proctorlabs session next Saturday, sooooo one more tonight - NAC....for which I am clueless....

Ahriakin

IPexpert Lab 12 "NAC"
That my friends was painful. The first half went fine as it's just setting up the Groups/Users/Basic NAC enabling/VPN3K Certificates. After that I made a mess of installing a certificate inside the ACS since it doesn't support lovely old SCEP (yes I know I've gotten lazy that way), I eventually figured out where i was going wrong with little help from the solutions guide and got that going far enough to get into the actual NAC configuration on ACS. It's just so bloody involved for even the most basic tasks. I understand that once you have your templates it's easier to manage but if this came up on the lab it'd be a major time killer even if you knew it inside out. Anyway I got most of the way through but I was basically reading from the solutions guide so I figured I'll knock off and do some proper study on it in a few days.
Tomorrow is a double with IWEB so I need my beauty sleep.

Ahriakin

A little bit of study this afternoon in the form of the IWEB Advanced Tech Class Layer 2 Security module. Then it was on to the lab.

IWEB Lab 3 - Difficulty 8/10
Yup this is the one I abandoned last week due to technical difficulties accessing the rack halfway through. Quite a good lab overall, very challenging but informative. To rehash a bit the initial setup section was quite intensive, accounting for 21 points. The usual addressing setup and a mesh of EIGRP/OSPF/RIP and authentication but also 2 (really 3) deliberately introduced problems in the initial configs that need resolving to essentially converge 2 sides of the network. The ACL and VPN sections were relatively light imho or just I'm getting used to them a bit more, a good mix of RA VPN, L2L and DMVPN with eventual encryption. While still using the DOCs for DMVPN I can do the basic setup now for multiple routers in a couple of minutes, so my technique for scavenging what I need from them to a notepad-config is as fast as it's gonna get...now if only I could actually remember it all off the top of my head . I ran into an issue with the L2L between the PIX' through the VPN3k that required Certification auth and to use hostnames for the tunnel-groups - this happened last time too but I remembered the steps for using hostnames properly this time, the issue was simpler, I just didn't configure the domain name and certificates properly on one side, easy enough to spot in the debugs and then correct. Still, sloppy. There was a nasty ASA NAC section too, but it was well explained in the solutions guide and some of it began to click finally. I printed that whole solution section and will play with it over the weekend on my own lab. The last speedbump was a deep MPF section that required heavy manipulation of how certain TCP packets were handled, I got about half of the task offhand but the last had me stumped. The solution was actually something I should have thought of, or at least know enough to go check that commands options, TCP-MAPS (the first half could be done with straight class-map/policy-map options). I've only used them so far for BGP Auth fixing but it's now firmly lodged in the old noggin' as a place to check when lost and needing to manipulate traffic that deeply.
One or 2 mistakes in the solutions guide but I've gotten used to that, just places were an implied filter was needed on a connected device and that kind of thing, no biggies.
One thing I wasn't nuts about was this one twice had you jump ahead to finish other sections before being able to drop back and continue. It was obvious in one case but no the other (the solution was not hard but some of the details it was expecting weren't configured yet). Maybe it's just me but I found that a bit annoying. But I guess you have to be ready for anything.

Anyway , another double tomorrow. I was trying to plan out my study timetable for my weak areas before next week this afternoon and it finally hit me, I have very little time to do any of it in detail. Lab tomorrow, shorter one from 11pm fri to 6am sat. Another double on Sunday 5pm to Monday 4:30am, then flyout wed. Those irrational jitters I've had for the last few weeks (and were finally fading) are morphing into Rational versions. Never enough time.

Turgon

Ahriakin wrote:

A little bit of study this afternoon in the form of the IWEB Advanced Tech Class Layer 2 Security module. Then it was on to the lab.

IWEB Lab 3 - Difficulty 8/10
Yup this is the one I abandoned last week due to technical difficulties accessing the rack halfway through. Quite a good lab overall, very challenging but informative. To rehash a bit the initial setup section was quite intensive, accounting for 21 points. The usual addressing setup and a mesh of EIGRP/OSPF/RIP and authentication but also 2 (really 3) deliberately introduced problems in the initial configs that need resolving to essentially converge 2 sides of the network. The ACL and VPN sections were relatively light imho or just I'm getting used to them a bit more, a good mix of RA VPN, L2L and DMVPN with eventual encryption. While still using the DOCs for DMVPN I can do the basic setup now for multiple routers in a couple of minutes, so my technique for scavenging what I need from them to a notepad-config is as fast as it's gonna get...now if only I could actually remember it all off the top of my head . I ran into an issue with the L2L between the PIX' through the VPN3k that required Certification auth and to use hostnames for the tunnel-groups - this happened last time too but I remembered the steps for using hostnames properly this time, the issue was simpler, I just didn't configure the domain name and certificates properly on one side, easy enough to spot in the debugs and then correct. Still, sloppy. There was a nasty ASA NAC section too, but it was well explained in the solutions guide and some of it began to click finally. I printed that whole solution section and will play with it over the weekend on my own lab. The last speedbump was a deep MPF section that required heavy manipulation of how certain TCP packets were handled, I got about half of the task offhand but the last had me stumped. The solution was actually something I should have thought of, or at least know enough to go check that commands options, TCP-MAPS (the first half could be done with straight class-map/policy-map options). I've only used them so far for BGP Auth fixing but it's now firmly lodged in the old noggin' as a place to check when lost and needing to manipulate traffic that deeply.
One or 2 mistakes in the solutions guide but I've gotten used to that, just places were an implied filter was needed on a connected device and that kind of thing, no biggies.
One thing I wasn't nuts about was this one twice had you jump ahead to finish other sections before being able to drop back and continue. It was obvious in one case but no the other (the solution was not hard but some of the details it was expecting weren't configured yet). Maybe it's just me but I found that a bit annoying. But I guess you have to be ready for anything.

Anyway , another double tomorrow. I was trying to plan out my study timetable for my weak areas before next week this afternoon and it finally hit me, I have very little time to do any of it in detail. Lab tomorrow, shorter one from 11pm fri to 6am sat. Another double on Sunday 5pm to Monday 4:30am, then flyout wed. Those irrational jitters I've had for the last few weeks (and were finally fading) are morphing into Rational versions. Never enough time.

Good luck with your lab attempt. I know exactly how you feel. Lab work is VERY time consuming particularly when you are working it around a job and such. The time just flies by and often you don't get as much done as you would like. But I think you are doing very well and clearly leveraging a lot you already knew about security device configuration coming into your preparations. Foundation always helps. Get your remaining labs done and try to focus on the core things in your preparation. You don't have much time left so I would concentrate on those things with the time you have remaining. The weird or arcane stuff..know of it, configure what you can..know where to find it..but take comfort that while the lab will have some of those sorts of things waiting for you it wont be full of it and you can't possibly learn all of it. Like you say. Not enough time! I think you have a shot at a first time pass but if you miss out don't get hung up on that. Some great engineers take more than one shot. Scott Morris did. Besides, it might make you a better driver. Took me four goes to clear my driving test and everyone says I drive really well. The journey is the most important thing because you might never study so intensely again.

GT-Rob

wow I am nervous about my exam which is still 10 weeks away, I can't imagine how you feel!


Good luck and all the best to you.

Ahriakin

Thanks guys, the pep-talk is appreciated , it's sometimes hard to keep this all in perspective and get lost worrying about it.
Just finishing up the Advanced Tech class on WebVPN now and then onto Lab 7. Incidentally I think I was right when I said before that WebVPN on the ASA was designed primarily for GUI configuration since the CLI is so messy. It's actually much easier to keep track of if you think of the CLI modes in terms of the Global / Group and Interface tabs for it on the concentrator . I'm glad to see I'm not the only one since even Mr. McGahan is having trouble on the vid keeping track of it all.

Ahriakin

Hmmmm. Trying not to get pissed again but more technical problems with the racks. Neither PC, the AAA/Cert server or Test machin, will respond on the network. I troubleshooted it for a while myself, moved them to different VLANs, setup SVIs on the switches in the same VLANS etc. and everything else works but those 2. I emailed support and they reset the VMs but no joy, emailed them back over an hour ago to let them know but still no reply - they're usually pretty prompt so I'm guessing it isn't an easy fix. It knocked out 1 VPN section and all of the AAA and IPS sections for me but I moved on and completed the rest.
So, ignoring the blank spots. tonight was IWEB lab 7 - Difficulty 8/10 . I really enjoyed this lab even if it did have me stumped a few times it was very challenging in a good way. Lots of little gotchas and some attack mitigation techniques I hadn't much experience with yet. It was also my first time using HSRP on the routers, 2 of them face to face with a similar pair of ASAs in Active/Standby Failover. Configuring HSRP was actually much easier than I thought it would be but the real 'trick' came later when part of the attack mitigation was to lockdown the Ports on that VLAN to only the maximum MAC addresses allowed. Easy enough, port security, maximum...and then you remember that HSRP means 2 mac addresses potentially per Router port - I got that part....but the bit I didn't was accounting for the fact that the ASAs would trade MACs if failover activated. Good stuff though, really makes you think.
There was also another good section on traffic filtering depending on the source, but not using IP addresses anywhere in the config. I knew it had to be done with MPF but I couldn't for the life of me work out how to differentiate the sources. And thus was my first encounter with using policies to mark traffic and later drop it (i.e. on your border router you marked the traffic with a precedence value, then dropped it closer to your target). More neat stuff.
Not too much else really, the usual batch of GRE/IPSec tunnels, not even a lot of interaction with the PIX/VPN3K/ASAs as they were all off at various perimeters, i think Failover was meant to be the big ASA task and it's so well and concisely documented it's breeze now. It falls into the same category as DMVPN now for me, I could learn it off by heart and know most of it anyway but it's just easier to leave it to the Docs.

I'm going to call this one a night labwise anyway. I learned a lot from this lab and I have some topics I want to research a bit more before hitting the hay. No point waiting to see if they fix the VMs, it'd almost be worth it for the AAA practice but the IPS is not that involved....and I kind like finishing early.

Sooooo off to CBTNuggets BSCI and the OSPF section to revise Virtual links and then I think the WebVPN chapters from the Cisco ASA Handbook.

All in all a good nights work, missed some things but learned from it....now if I can cure the 'missed things' part in a week I'll be fine

Ahriakin

Turns out last night's issues with the PCs was a system wide routing problem that only got resolved this afternoon. They did refund a session worth of tokens though without being asked which was a plus, I'll probably use them tomorrow or Monday to do some adhoc work on NAC and some other areas.
EDIT: Or I would have but there are no slots free , ah well at least I have some 'in the kitty' if things do not go well next week.
Today is finishing off some study on the ASA Webvpn, I started it last night but it just didn't sink in. I'm going to implement this on one of our ASA's at work to allow quick viewing of our monitoring system status pages so it'll kill 2 birds with one stone.
I have a 7 hour session with Proctorlabs tonight at 11pm to finish off the IPexpert mini-labs, all the IPS ones and maybe go over some of the others if I have time. I think the IPS ones alone will probably only take half the session as the time estimates on the book are pretty generous.

Ahriakin

AAARRRRGHHHH


Do ANY of these rack rental companies actually give a damn about availablity? Just tried proctorlabs and the 2nd access server is down...it just happens to be the one with all of the security appliances. The control panel won't let me reset the power either. It's just problem after problem, from company to company. Im trying to get into their support pages now and it's going incredibly slowly...THEY'RE NETWORKING SPECIALISTS FFS and they can't keep their own systems up.
The only thing that is working is the very pretty Clock at the top counting down the time I have left. I do not need this so close to the Lab, first last night's on GradedLabs and now these.

Edit: Well the Access server came up but I've never used the IDS with them before and all the standard passwords don't work. They don't include them in the confirmation emails, they are stored in your profile...on the website that has been dead for the last hour.....Oh well. Moving on and redoing some of their workbook on my home lab.
Another wasted rental.

GT-Rob

Ya I have had issues with gradedlabs myself, especially with their control panel (there was a good month where I couldn't save configs). I have also had times where they would be "working on my rack" while I am trying to get on. And the WORST is when their site takes 10mins to load right when I need on to get the pws/rack #.


I agree that you would think managing some routers would be what these guys do best! :P