CCIE Sec Lab Diary - or how to make Ahriakin's brain implode

Turgon

dynamik wrote:

Wow. I even got a surprise response from Turgon as well. Good info guys!

Maybe I didn't phrase my question perfectly, but just to be clear, I wasn't looking at the workbooks as a substitute for learning the background theory. I was curious how well you felt that represented the actual lab and how well they helped identify your weak points (so you could go back and review the theory).

I actually have Routing TCP/IP Volume 1 in the mail. I'll be done with my NA very soon, and it's full speed ahead after that. I think I'm going to tackle BSCI and BCMSN first. ISCW and CCNA: Security seem to be pretty similar, so I think I'll double-up on those, and then move into security. I'll have to find a place to squeeze in ONT for the NP though. Maybe I'll do that before ISCW... Anyway, the point I'm trying to make is that I'm going to start developing that foundation from the start!

That's ok dynamik I realised where you were coming from there but as you mentioned workbooks it's worthwhile for the benefit of other readers who may be less informed to clear that sort of thing up. Foundation is everything and networking really is a long term thing! The layouts of workbooks and Duggan (Cisco Press) and Cisco Assessor are close and they are all useful for identifying weak areas. The blueprint is useful for that too.

Ahriakin

IPexpert Labs 4a (AAA) and 5 (PIX) done again. I wasn't sure whether to post my thoughts on these as I have months back when I first did them but hindsight and experience do make me see them in a different light so I figured yup.

4a is a bit too simple imho. It covers the basics of configuring 2 hosts as Tacacs+ and Radius clients and doing some privilege assignments, but for some reason the only remotely challenging section where you need to assign certain commands to priv-5 has you authorize locally. I went ahead and did it with auth from the Tacacs server instead and will probably go back and do it on Radius aswell just to cover the bases. In short this one is not bad if you are prepared to add some complications yourself at the end, but a bit too limited otherwise

5 in contrast is a very good mini-lab, probably the best in the book for what it covers. Calling it a PIX lab is a bit misleading as yes there is one PIX but it's in the middle of 5 routers so you'll spend as much time on them combined as the PIX itself. It takes you through NAT, ACLs, Cut-Througyh Proxy, Routing + authentication + GRE etc. A few nice tricky tasks that involve using NAT and GRE to get around specified route limits. Whereas this one and 4a are estimated at 3 hours the latter can easily be completed in about an hour but this one will take 2+ as there are a lot of tasks at the end that involve ripping ('scuse the pun ) out the previous task configs and starting again. The very last task section has you completely wiping the device configs and starting from scratch. It doesn't cover VPNs, MPF or the more advanced PIX/ASA services but for the core this one is a great learning experience.

pr3d4t0r

Well...i am really surprised. Unfortunately i failed. I have lots of doubts concerning my ips section since i got a 25%...i cannot understand this but what can i say...

Turgon

pr3d4t0r wrote:

Well...i am really surprised. Unfortunately i failed. I have lots of doubts concerning my ips section since i got a 25%...i cannot understand this but what can i say...

Nevermind pr3d4tor. The tests are illusive. Better luck next time.

Ahriakin

Damnit, sorry to hear it. All it takes is one little typo and you've lost those points, with the IPS often using regex's and the like it's incredibly easy to do I think. But you have the experience, bad as it is to fail you're a lot more seasoned now.

pr3d4t0r

I hate cisco ips, but the tasks i had to configure where easy...and the regex conf was easy too. I really don't understand this.

mmm, wait a second, does cisco ips have an auto-save feature or not ?

dtlokee

Sorry to hear that pr3d5t0r, as Turgon said the exam is elusive and there were a few times that I couldn't understand how I did so poorly in a section I thought I have done correctly.

pr3d4t0r

I feel you dtlokee, maybe i forgot to save the config in the ips, i cannot imagine anything else regardless,case closed.

On to the second try.

Turgon

Good luck with that. Even if you are extremely well prepared for the lab exam I do believe you still need a fair wind on the day to get through first time. There are a myriad of things that can crop you up and you can't be great at spotting and dealing with absolutely all of them. Any ideas when you will try again?

Ahriakin

The IPS saves automatically, it's essentially a Linux box and configs are written to the hard drive and not flash, even your running "current-config" is saved once you select 'yes' to accept a change you make in a service mode. Still saving your config to backup doesn't hurt in case the current-config gets corrupted on the drive "copy current-config backup-config". I've also been told that the written report doesn't mean much in relation to the actual layout of the exam. They might have small IPS functions in 2 or 3 other sections that they included under IPS on the report even though to us that was not the thrust of those sections.
I think the biggest hurdle with the lab is everything has to be perfect 1st time. Something that in real life would not be an issue because you would spot the mistake and correct it will still fail you on the real thing. Time wise your exam was just like mine, the choice between doing one last question or using those 30 mins to verify your existing setup and the thing is 30 mins isn't enough to fully test and debug your running lab, I know I got through maybe 1/3 of the exam and spotted/correct a couple of typoes in that time (things that didn't break pure functionality but that didn't exactly match the task parameters) so god knows what was left. One thing I am focusing more on in my lab time now is speed, previously I would use my pre-configured Dynamips sessions to save basic config time but now I make my labs from scratch and force myself to do the basics like addressing/routing etc. so it'll be second nature for the next time. I think I need to have at least 90 mins at the end even if I believe I have done well to make sure I didn't leave any stupid little landmines behind.

pr3d4t0r

Yes yes, you are correct, i did find some typos myself too at the end. I totally agree with you all the way.

The most difficult part for the lab is to be fast and accurate in your configs.

pr3d4t0r

Well i schedule my 2nd attempt at February. Back to my books

Turgon

pr3d4t0r wrote:

Well i schedule my 2nd attempt at February. Back to my books

That's not far away from my first assault at the R&S beast. Good luck with your preparations.

dynamik

Turgon wrote:

That's not far away from my first assault at the R&S beast.

Oh, you're actually going to take it? I thought you just turned into a pro blogger

Turgon

dynamik wrote:

Turgon wrote:

That's not far away from my first assault at the R&S beast.

Oh, you're actually going to take it? I thought you just turned into a pro blogger

It's not a race young man Once you have made time to master the material you are ready and not before. A couple more good months pulling everything together and yep I should be there. Mind you I have to do the written again. Ordered the Cisco Press yesterday!

Ahriakin

Ah well, a mix of study and work over the last few days. I've been reading "Cisco Access Control Security AAA Administrative Services" and running a small Dynamips lab of 2 routers to do some testing/implementation as I go. I didn't get a chance to read it before the first attempt and had relied on the small sections on ACS in various appliance books aswell as the practice labs to learn it. The one question I didn't even attempt in the Lab was ACS based so this is definitely an area I need to work on.
This book covers it in a nice concise way, it doesn't go overboard with detail but if you have already been through the various appliance guides it's a very good way to review ACS in one book. I wouldn't attempt it until after your first round of studies though, it does not explain any of the actual appliance technologies ACS will help with just how to configure it to do so. I have a spreadsheet of the recommended booklist and if/when I read them and keep a score for relevancy for each from 1-10. When I pass I plan to put this on the first page of this thread, but I figure I can start listing the 'scores' when I mention what I'm reading, for ACS I'd say this is an 8/10.

Ahriakin

Last night was the first Full lab session since my last attempt....and my damn internet connection (well entire cable connection TV and all) died at 1am, 2 hours into the session, just as I was getting to the juicy parts. This was also my first IPExpert full lab and it look pretty good from what I'd seen of it, they don't grade on difficulty but I'm assuming at most they ramp up as you continue. I had only run into one issue with the initial configs by the time the connection failed and that was an incorrect interface number on one of the serials, it pays to take a little extra time and watch those configs paste in at the start as I've seen the same on some of the IEWB setups, they don't really bother me since it helps to do a little troubleshooting as you go but just an FYI on trust levels if someone new to them is reading this. So I waited about an hour figuring it would come back on, mentally counting off each end section that I knew I now wouldn't have time for as the time ticked away, but nope (it came back on sometime after 9am this morning as that's when I headed to bed). I ended up doing a little bookwork and one of the smaller IPExpert Tech Labs (no. 6, PIX Firewall / ASA...yes I know 5 is called PIX Firewall too but I don't come up with the titles ), it was effectively split into 2 parts as it has one segment for Transparent firewall, and the other for Multi-Context and Active/Active Failover. The Transparent side was easy, the second should have been but right at the end I could not get them to failover, checked my configs, ran back through the Cisco DOCs. All seemed fine....then I remembered that since my Dynamips lab is using PIX instead of the normal 2xASAs that I needed to also enter the "FAILOVER LAN ENABLE" command. I'm just so used to doing this on the prescribed 2xASA setup that I didn't even think of it. Stooooppeeeedddd. This one is a relatively simple lab, no extra comp[lications just a very straightforward implementatino of these technologies - with a little MPF work for TCP Normalization and BGP auth clearing.

Today is a wee but more on the books I think. The next full lab is tomorrow night. Hopefully the powers that be will actuall let me sit it this time.

Ahriakin

Well I finally finished "Cisco Access Control Security AAA Administrative Services". It's a decent read and again probably the single best source of info. I've seen so far purely on ACS but I would have liked more examples on the bread and butter functions like Authorization. It does cover the theory well, and a bit of configuration for PIX and IOS but not quite enough I think, I would have preferred to have these examples as both TACACS+ and RADIUS. But nothing's perfect, or maybe I'm just slow . Anyway it's definitely worth a read.

Ahriakin

Hmmm, decided to take a go at "Securing Your Business with Cisco ASA and PIX Firewalls" and unfortunately it's all, and a I do mean ALL, based on the ASDM. Don't get me wrong I'm not some CLI zealot that refuses to use the GUI on principal, the latest ASDM is great and is a much better tool for some areas (like WebVPN, Remote VPN RA policy building etc) but obviously it's not much use for the lab. I had a quick scan through to see if there was any unique theory but nah, a decent book in it's own right but I don't know why it's on the CCIE Sec reading list. when this material is covered in other more relevant texts (with CLI). Save your money and time on this one.

Ahriakin

Tonight went mostly without problems. It was a single session with Proctor Labs / IPExpert (7:45 hr , enough to do a full lab now I should be aiming for that 8hr max.) and my first (relatively) successful attempt at an IPExpert full lab. The issue I had was the IPS wouldn't respond at all, their support couldn't get it going either and offered to move me to another Pod, since the IPS section on this one was very simple and didn't interfere with any other tasks I said not to bother so they credited a few extra hours to this session which was decent enough.
Since IPExpert don't list difficulty levels I'm going to presume they get harder as you go on but this one (multi-protocol lab 13) was very simple imho. It did test the core technologies but there was very little in the way of complexity, all tasks were quite straightforward and the topology introduced few complications. No MPF work, but some transparent firewall / multi context on the ASAs, though no failover. One or 2 little mistakes, like specifying you could use static routes for one of the VPN tasks on 2 routers only but the only way to make it actually work was also add statics to the VPN Concetrator (which is verified in their Solutions guide), and some questions could be quite vague, but overall a decent little lab, if not the most challenging. Even taking it easy I completed this one in about 5 hours, the IPS section would likely have added about 15 mins to that.
The biggest benefit here I think is seeing a slightly different approach to IEWB (who delight in adding complications and making you jump through hoops). I'll hold off on further comparisons to IEWB's full labs until I've done a few more and can get a better picture of them overall, the next one may be a killer for all I know

Next session is Thursday night and I have just under 4 hours left (thanks to the extra time they gave) so I think I'll do a mini-lab from the workbook now too.

pr3d4t0r

Has anyone deployed Cisco Security Agent in a large scale enterprise ?

I'm thinking it as a decent HIPS/HIDS system. Does anybody have a better proposal ?

Thanks.

Ahriakin

I haven't used it, the company wouldn't splurge for it unfortunately. It seems to be a decent HIPS and it's integration with NAC/MARS etc. makes it a very good choice for a Cisco shop.

Ahriakin

IPexpert Multiprotocol Lab 14 down. This one was a bit tougher than 13 mainly due to 2 tasks on IOS EZVPN , which I hate. It doesn't help that both the Cisco Docs and the solutions guide use the same damn name for the static and dynamic crypto maps, so when you're looking at the examples and working out how to apply Xauth etc. to your map it isn't clear which one you are really applying it to. It's std. practice to use 2 different names for your static and dynamic maps since you have to eventually nest the dynamic inside the static so to the fool that wrote that section of the Cisco Docs congrats ..... I guess I just need to research it more. There were also more mistakes than on the previous lab. None of the ACLs through which VPNs had to move included ESP in the guide, also a few of the tasks that involved multiple ACLs like the reflexive lists had one or two lines in the wrong list, another common one was not to include a second statement to allow incoming BGP sourced from 179. Stuff that's easy enough to spot but surely they would have found this in testing if not by proofreading....Last up the PIX in transparent mode wouldn't talk to anything either side of it which stopped me testing my inline IPS aswell, I checked the VLAN configs/IP+ACL settings etc., all fine but still nothing. Soo the IPS tasks I had to just use the solutions guide for.
Complain complain complain....I guess I'm just tired and grumpy .
Anyway other than that another decent practice session, lots of routing authentication, failover, the usual mix of VPNs and only a little AAA interaction. Still not much on MPF though, maybe in the later ones.
Taking off break times this one took about 6 hours.

Next full lab is monday night.

Ahriakin

Not too much to report. Taking it easy for the next few days as the wife has 5 days off but works Xmas itself, so this is our holiday time. Doing a few hours a day to keep my feet wet, mainly working through the IEWB ADV Tech CBTs again, focusing on EZVPN right now. I'll probably do the IPExpert EZVPN lab after aswell. But don't think I'm ignoring this diary, just not too much to say at the moment.....

celtic.steve

Ahriakin, execellent thread & looking forward to joining you on this epic adventure.

S.

Ahriakin

Good to see you on here too sir

Anyway today (so far) was IPexpert Lab 7B - DMVPN and IOS EZVPN . No big surprises here. did all of the DMVPN now minus the docs, it's pretty easy to find and follow the online docs but one less thing to hunt for means that will at least speed things up a bit. The IOS EZVPN made a bit more sense this time so when I was done I made a quick 2 router Lab and configured the first cloud/real-lan connected router as an EZVPN server and connected to it from my own PC, no docs this time as once I got that whole mess of Static vs. Dynamic map sorted (it's the Static btw for all those client config commands in the docs) it's not that bad at all. So one easyish one optimized and another pain in the ass simplified. A good few hours work.
I've got my IPexpert full lab in 4 hours so I'm taking a break....

Ahriakin

I did about half of IPexpert Lab 15 and called it a day at 2am. Work, mini labs and a full lab with having to be up early the next morning was way too ambitious. I was a bit pissed at the amount of obvious mistakes too, I mean if the task states 'No access-lists' and the very first thing the solution guide tells you to do is use an access-list how much effort did they put into proof-reading, ditto for the Failover task that tells you to configure ASA-2, then also configure ASA-2 in case ASA-2 fails? Really? That didn't stand out to anyone that it was a mistake before publishing?
Nothing too hard anyway, some use of inspection in lieu of ACLs, routing, AAA and some failover work as stated. I might go back and do some of the more interesting later sections individually on the home lab, at leasy IPExperts labs tend to be written so that most of the sections are reasonably independant of each other.

Ahriakin

Had a quick skim over the pertinent sections from "Troubleshooting Virtual Private Networks" and "Network Security Architectures" again, though I don't think I'm getting much mileage from concept guides anymore, I'm fine with the theory behind them I just need specific implementation knowledge. Sooo, after today no more generic guides, specific Cisco Product DOC guides and a few of the dedicated books like The Router Firewall Guide etc. and that's it.
I redid IPexpert 7-A, IPSec VPNs. Quite a simple lab of 4 routers and one intermediate PIX, just creating lan-lan's between various interfaces but a little variation in using translated addresses for some endpoints and GRE. It's rated at 3 hours but really it can be done in 30 mins. It did clarify which endpoint IP to use when encrypting GRE inside IPSec at the outgoing interface (vs. using IPSec profiles within the GRE tunnel setup) and generally just provide some practice with the basics.

booker_213

Hi Ahriakin,

How would you rate the workbooks and CoD from both vendors?

I'm starting my preperation and at this stage am unsure as to which vendor i'll choose.

Keep up the good work mate!


Paul.

Ahriakin

Hi Paul,

I'd rate the IEWB Adv. Tech Class a lot higher than the IPexpert DVDs as besides interactive commentary (they are recorded from 'live' online classes so there are other people asking questions as you go) and the actual lectures it's great to see Brian go through the configs onscreen and often run into the very problems we would, watching him then troubleshoot is just as valuable as the actual intended knowledge imho. The IPexpert classes were really just a commentary over slides. The IPxpert Audio-only CDs though were actually better imho than their DVDs but without any visual backup it's a lot harder to follow.

As for Lab workbooks that's a much harder call. Both have mistakes but I'm finding a few more recurrent ones in the IPexpert book. IEWB split their workbooks into Vol 1 for technology mini-labs (much better when you are starting off than jumping into a full mock lab), and Vol 2 for full labs (10 of them), IPexpert's is a mix of both with 12 min-labs and 7 full labs. IPexpert tend to give more explanations in their solutions whereas IEWB don't (though they have started online tutorials that do explaint heir solution approaches these cost extra). I don't have IEWB Vol1 so I can't compare the mini's but there are differences in their approaches to the full labs. I think (well so far as I've only don't half of the IPExpert fulls) that the IEWB labs are trickier and more challenging, they will make you think a lot more about your tasks which is a good thing but at the same time it makes starting out harder also I think the IPExpert approach is a little (and I do mean 'little') bit closer to the real thing. If you're just starting out from about a CCSP level and can only afford one from each type I'd say get the IEWB Adv. Tech Classes and IPExpert workbook but definitely if you can treat the IEWB Vol2 workbook as your next purchase to advance a bit beyond the IPexpert fulls when you have them done.

EDIT: Figured I'd update this after the post below about booking lab time. One other thing to consider, IPexpert uses Proctorlabs and IEWB use GradeLabs for their rack-rental arms. Each partner wires their racks in accordance with their respective vendors workbooks so if you use Gradedlabs you can just load on your IEWB configs and get to work, the same with Proctorlabs and the IPexpert book. The reason this is important at this stage is the difference in each Rack vendor's setup and pricing. Gradedlabs/IEWB do 5:30 sessions and the price varies depending no the time chosen, the average is $15 per session but it can (and often does go higher), they also use pre-sold tokens in batches of 15 (1 token per $1) so if you need to book a double sessions and the first is 15 tokens but the 2nd is 20 you need to buy 3x15 token packs and have some left over. When you start off this isn't such a big deal as you will use the spare ones up but near the end you are looking at a bit of waste. Also with their labs being more complex it'd be very hard to complete one in one session, and you definitely would not have time to properly verify it so you almost always need to book doubles to do their full labs, so you are looking at a min. of $30 per lab session, though you do get plenty of time for breaks and taking your time to learn during this time. Proctorlabs do 7:45 sessions, currently $20 a pop and you pay directly so no tokens/possible waste. Also that is a perfect timeframe for a single full lab, maybe not when you start off as your first few can take much longer but nearer the end when you are trying to match real lab time it's plenty of time (also as their labs are a little easier again the timeframe is not as constrained). Lastly I've found Proctorlabs hardware is newer/faster (including the VMs used for the ACS server etc., also java is up to date so there is no 10 minute lag waiting for the IPS GUI to come up as can happen on older versions (and usually does on the Gradedlabs VMs)) and more consistent (e.g. the hardware for router9 on one pod is the same on the others so you can reload your configs with ease). With Gradedlabs the hardware is a little older and some of the units are different from rack to rack, they all conform to the blueprint but what I mean is Fa0/1 on Router3 on one rack might be eth0/0 on Router3 on another so moving saved configs from rack-rack between sessions can be a problem. Not a biggy but when you are paying for the time it all counts.
I've had more issues than I appreciate with both vendors as regards availability and some units on the racks being unresponsive but in both cases I found their support staff to be responsive and helpful, I just wish I didn't have to use them so much.
So ultimately while I prefer the IEWB Lab Workbook I think Proctorlabs are a better rack provider (not by a whole lot but enough that if I could do both vendors workbooks on either rack-vendor Proctor would be my choice).