ISCW Resources
Hello Everybody,
I've noticed that there is a rich amount of material on this board for the BSCI and the BCMSN. It would be great to see more study information for the ISCW and ONT, so I have taken it upon myself to compile information together for the ISCW and organize it in this thread. Since I am currently studying the ISCW, I will organize my data and labs by the order of the Official Exam Certification Guide. I will continually update this page as my studies continue, and re-organize data to make it easier to read and find information. Hopefully we can see a sticky for ISCW and ONT resources in the future!
1. DSL Technologies
The following are 3 lab scenarios for DSL. PPPoE, PPPoA, and simple RFC 1483 bridging. I will be using aal5snap at the ATM adaption layer since it is most common ( aal5mux could also be used but the configuration is slightly different ). If you neeed help setting up these topologies in GNS3, let me know.
A. PPPoE
Most common in todays deployments. It should really be called PPPoEoA since ATM is the underlying data link protocol. PPOE also has the highest amount of overhead. MTU should be adjusted for the most efficient use of bandwidth. Max MTU 1492, Optimal 1452 due to cell padding added by ATM encapsulation.
AGGREGATE ROUTER:
username cisco password 0 cisco
!
bba-group pppoe PPPoE
virtual-template 1
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group PPPoE
!
interface Virtual-Template1
ip address 172.16.1.3 255.255.255.0
peer default ip address pool cisco
ppp authentication chap
!
ip local pool cisco 172.16.1.100 172.16.1.200
CLIENT ROUTER
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname cisco
ppp chap password 0 cisco
B. PPPoA
Less common in todays deployments. Less overhead than PPPoE, and is simply PPP being transported by ATM cells.
AGGREGATE ROUTER
username cisco password 0 cisco
!
interface ATM2/0
no ip address
no atm enable-ilmi-trap
no clns route-cache
pvc 1/100
encapsulation aal5snap
protocol ppp Virtual-Template1
!
!
interface Virtual-Template1
ip address 172.16.1.1 255.255.255.0
peer default ip address pool cisco
ppp authentication chap
no clns route-cache
!
ip local pool cisco 172.16.1.10 172.16.1.20
CLIENT ROUTER
interface ATM1/0
no ip address
no atm enable-ilmi-trap
no clns route-cache
!
interface ATM1/0.1 multipoint
no atm enable-ilmi-trap
pvc 1/100
dialer pool-member 1
protocol ppp dialer
!
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname cisco
ppp chap password 0 cisco
no clns route-cache
!
C. RFC 1483 Bridging
Not common and phased out in most locations. I had this type of DSL connection a long time ago when DSL was first released in my area. It is a simply ethernet over ATM bridging. No security from PPP, and usually a static IP address is assigned. ( Or atleast I had one way back when! ). This is not covered on the ISCW, but I thought it would be interesting to mention.
AGGREGATE ROUTER / CLIENT ROUTER
identical configurations
interface ATM1/0
no ip address
no ip route-cache
no atm enable-ilmi-trap
no clns route-cache
bridge-group 1
pvc 1/100
encapsulation aal5snap
!
!
interface FastEthernet2/0
no ip address
no ip route-cache
duplex auto
speed auto
no clns route-cache
bridge-group 1
!
!
bridge 1 protocol ieee
2. MPLS Technologies
The following labs take you from a very basic MPLS configuration to a more complex VPN configuration. Make good use of the show mpls commands so you can observe how the LIB, LFIB, and LDP protocol works. I also suggest using wireshark to get a real under the hood look at how the packets look! Each lab builds upon the previous so you don't have to start a new topology when going from Simple to BGP to VPN.
A. Basic Concepts.
MPLS is a layer 2.5 technology which can be run over just about any data link protocol. Labels are applied to frames which corespond to the destination network of the encapsulated packet. This allows the core of your network to be unaware of the layer 3 topology. Only your edge LSR( Label switching routers) must contain full routing tables. P(provider) routers, or the core routers, only a run an IGP which provide reachability for the internal provider network. PE(Provider edge) routers run MP-BGP and exchange customer routing information directly between each other.
B. Simple MPLS Lab.
This is a good starting point if you have not setup an MPLS lab yet. Very basic configuration which should help you understand basic LDP discovery, and LFIB, LIB population.
Picture of Topology
GNS3 Project File
Router configuration files
D. MPLS BGP Lab
The concept here is that you run BGP on your edge routers only. Your core routers run an IGP which contains routes for your internal network. This perfectly demonstrates how the core routers forward packets based on their labels, and not layer 3 headers. I recommend using wireshark to get a real under the hood look at the MPLS tags.
Picture of Topology
GNS3 Project File
Router configuration files
E. MPLS VPN Lab
The following is a simple MPLS VPN lab. The ISCW Official Exam Certification Guide does not go into much detail in regards to the configuration of this, which is a shame because its very interesting. The main component here is the multiple VRF instances and Route Targets which bring it all together.
Picture of Topology
GNS3 Project File
Router configuration files
3. IPSEC
A. Summary of features.
IPSEC allows two end points to send packets to each other securely over public networks (the internet). The AH and ESP headers provide data confidentiality, data integrity, authentication, and anti-replay detection. There are two modes which ipsec can be used in: Tunnel mode, which adds a new IP header and completely encrypts the original packet. Transport mode protects only layer 4 and above, not the complete packet.
B. IPSEC Tunnel mode
#### PHASE 1 CONFIGURATION ####
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key ciscopasskey address 69.x.x.x
!
#### PHASE 2 CONFIGURATION ####
!
crypto ipsec security-association lifetime seconds 7200
!
crypto ipsec transform-set set-10 esp-3des esp-md5-hmac
!
crypto map to-work 10 ipsec-isakmp
set peer 69.x.x.x
set transform-set set-10
match address 180
!
#### DEFINE INTERESTING TRAFFIC ####
!
ip access-list extended 180
permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.7.255
!
interface FastEthernet0/0
description WAN
ip address dhcp
ip access-group firewall in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map to-work
GNS3 Project File
Router configuration files
C. IPSEC Transport mode
I decided to do a mixed cisco/linux lab with transport mode IPSEC.I figued this would be more interesting because I will be doing another transport mode lab in the next section. Openswan is the linux implementation of IPSEC I decided to use. Configuring the Linux box requires you to install Openswan with distro pkg management and make sure you have ESP support enabled in your kernel(most distros should have this compiled as a module by default). The openswan configuration files are /etc/ipsec.conf and /etc/ipsec.secrets.
Openswan
ipsec.conf
ipsec.secrets
Cisco IOS
Note: If you were to set this up between two cisco devices you would mirror the following configuration.
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
crypto isakmp key yoursecret address 172.16.1.1
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set set-20 esp-aes esp-sha-hmac
mode transport
!
crypto map to-work 20 ipsec-isakmp
set peer 172.16.1.1
set transform-set set-20
match address 170
!
ip access list extended 170
10 permit ip host 172.16.2.2 host 172.16.1.1
!
interface FastEthernet0/0
description WAN
ip address dhcp
ip access-group firewall in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map to-work
D. GRE over IPSEC
In this configuration I am using IPSEC Transport mode again. Using tunnel mode for this would be pointless, and would add another 20 byte IP header to each packet. RIP routes are being exchanged between the two VPN endpoints via the GRE tunnel.
GNS3 Project File
Router configuration files
E. Easy VPN Server
This is a basic configuration for Easy VPN Server. I completed this particular configuration with the Cisco SDM and tested it with the Cisco VPN Client. This lab is an extension of the above GRE Lab. R1 is connected to a Tap interface which is bridged on my Linux box. This gives me full access to the https server and allows me to test the Easy VPN with a client on my Windows VM. ( message me for information about setting up the tap interfaces and bridging )
GNS3 Project File
Router configuration files
4. Security / AAA
Basic router security covered in the ISCW includes auto secure, granular user access control, and AAA. I will go over some of the basic functions included in the auto secure script, and include some labs for setting up AAA with tacacs+. I will provide a sample configuration file for the linux tacacs+ server.
A. AAA with Linux tacacs+ server
This lab will demonstrate the usage of AAA with an external authentication server. Either tacacs or Radius could be used, but I decided to go with tacacs since it is the cisco recommended protocol. Any linux distribution can be used for this exercise, if your distros repository does not include tac_plus, you can install it from source.
Linux server setup:
The setup for the Linux tacacs+ server will be very basic. We will authenticate local unix accounts. More advanced configurations can be used to authenticate against LDAP or Active Directory, but that is another topic. I should mention that its helpful to run tcp **** on port 49 and increase the debug level when running tac_plus for the first time, this will help you catch any errors..
Once tacacs+ is installed (see above link for download), you can simply start the service by running:
tac_plus -C /etc/tac_plus.conf (your config file can be anywhere, just make sure to specify the correct path)
example config:
tac_plus.conf
AAA Configuration in IOS:
aaa-new model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
tacacs-server host 172.16.0.3 key ciscokey
Very intuitive configuration here. AAA is setup in such a way that users are first authenticated by the tacacs+ server, if unreachable try the local user database. The same thing for enable. This is obviously important because otherwise if you lose connectivity to your tacacs server you'll be locked out of your router/switch.
This is it for the labs. Everything else on the ISCW is Firewall, Security, and IPS technologies. I highly suggest learning the SDM for these security practices. Of course you should also know these functions by command line, however this exam does have any emphasis on the SDM.
I've noticed that there is a rich amount of material on this board for the BSCI and the BCMSN. It would be great to see more study information for the ISCW and ONT, so I have taken it upon myself to compile information together for the ISCW and organize it in this thread. Since I am currently studying the ISCW, I will organize my data and labs by the order of the Official Exam Certification Guide. I will continually update this page as my studies continue, and re-organize data to make it easier to read and find information. Hopefully we can see a sticky for ISCW and ONT resources in the future!
1. DSL Technologies
The following are 3 lab scenarios for DSL. PPPoE, PPPoA, and simple RFC 1483 bridging. I will be using aal5snap at the ATM adaption layer since it is most common ( aal5mux could also be used but the configuration is slightly different ). If you neeed help setting up these topologies in GNS3, let me know.
A. PPPoE
Most common in todays deployments. It should really be called PPPoEoA since ATM is the underlying data link protocol. PPOE also has the highest amount of overhead. MTU should be adjusted for the most efficient use of bandwidth. Max MTU 1492, Optimal 1452 due to cell padding added by ATM encapsulation.
AGGREGATE ROUTER:
username cisco password 0 cisco
!
bba-group pppoe PPPoE
virtual-template 1
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group PPPoE
!
interface Virtual-Template1
ip address 172.16.1.3 255.255.255.0
peer default ip address pool cisco
ppp authentication chap
!
ip local pool cisco 172.16.1.100 172.16.1.200
CLIENT ROUTER
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname cisco
ppp chap password 0 cisco
B. PPPoA
Less common in todays deployments. Less overhead than PPPoE, and is simply PPP being transported by ATM cells.
AGGREGATE ROUTER
username cisco password 0 cisco
!
interface ATM2/0
no ip address
no atm enable-ilmi-trap
no clns route-cache
pvc 1/100
encapsulation aal5snap
protocol ppp Virtual-Template1
!
!
interface Virtual-Template1
ip address 172.16.1.1 255.255.255.0
peer default ip address pool cisco
ppp authentication chap
no clns route-cache
!
ip local pool cisco 172.16.1.10 172.16.1.20
CLIENT ROUTER
interface ATM1/0
no ip address
no atm enable-ilmi-trap
no clns route-cache
!
interface ATM1/0.1 multipoint
no atm enable-ilmi-trap
pvc 1/100
dialer pool-member 1
protocol ppp dialer
!
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname cisco
ppp chap password 0 cisco
no clns route-cache
!
C. RFC 1483 Bridging
Not common and phased out in most locations. I had this type of DSL connection a long time ago when DSL was first released in my area. It is a simply ethernet over ATM bridging. No security from PPP, and usually a static IP address is assigned. ( Or atleast I had one way back when! ). This is not covered on the ISCW, but I thought it would be interesting to mention.
AGGREGATE ROUTER / CLIENT ROUTER
identical configurations
interface ATM1/0
no ip address
no ip route-cache
no atm enable-ilmi-trap
no clns route-cache
bridge-group 1
pvc 1/100
encapsulation aal5snap
!
!
interface FastEthernet2/0
no ip address
no ip route-cache
duplex auto
speed auto
no clns route-cache
bridge-group 1
!
!
bridge 1 protocol ieee
2. MPLS Technologies
The following labs take you from a very basic MPLS configuration to a more complex VPN configuration. Make good use of the show mpls commands so you can observe how the LIB, LFIB, and LDP protocol works. I also suggest using wireshark to get a real under the hood look at how the packets look! Each lab builds upon the previous so you don't have to start a new topology when going from Simple to BGP to VPN.
A. Basic Concepts.
MPLS is a layer 2.5 technology which can be run over just about any data link protocol. Labels are applied to frames which corespond to the destination network of the encapsulated packet. This allows the core of your network to be unaware of the layer 3 topology. Only your edge LSR( Label switching routers) must contain full routing tables. P(provider) routers, or the core routers, only a run an IGP which provide reachability for the internal provider network. PE(Provider edge) routers run MP-BGP and exchange customer routing information directly between each other.
B. Simple MPLS Lab.
This is a good starting point if you have not setup an MPLS lab yet. Very basic configuration which should help you understand basic LDP discovery, and LFIB, LIB population.
Picture of Topology
GNS3 Project File
Router configuration files
D. MPLS BGP Lab
The concept here is that you run BGP on your edge routers only. Your core routers run an IGP which contains routes for your internal network. This perfectly demonstrates how the core routers forward packets based on their labels, and not layer 3 headers. I recommend using wireshark to get a real under the hood look at the MPLS tags.
Picture of Topology
GNS3 Project File
Router configuration files
E. MPLS VPN Lab
The following is a simple MPLS VPN lab. The ISCW Official Exam Certification Guide does not go into much detail in regards to the configuration of this, which is a shame because its very interesting. The main component here is the multiple VRF instances and Route Targets which bring it all together.
Picture of Topology
GNS3 Project File
Router configuration files
3. IPSEC
A. Summary of features.
IPSEC allows two end points to send packets to each other securely over public networks (the internet). The AH and ESP headers provide data confidentiality, data integrity, authentication, and anti-replay detection. There are two modes which ipsec can be used in: Tunnel mode, which adds a new IP header and completely encrypts the original packet. Transport mode protects only layer 4 and above, not the complete packet.
B. IPSEC Tunnel mode
#### PHASE 1 CONFIGURATION ####
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key ciscopasskey address 69.x.x.x
!
#### PHASE 2 CONFIGURATION ####
!
crypto ipsec security-association lifetime seconds 7200
!
crypto ipsec transform-set set-10 esp-3des esp-md5-hmac
!
crypto map to-work 10 ipsec-isakmp
set peer 69.x.x.x
set transform-set set-10
match address 180
!
#### DEFINE INTERESTING TRAFFIC ####
!
ip access-list extended 180
permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.7.255
!
interface FastEthernet0/0
description WAN
ip address dhcp
ip access-group firewall in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map to-work
GNS3 Project File
Router configuration files
C. IPSEC Transport mode
I decided to do a mixed cisco/linux lab with transport mode IPSEC.I figued this would be more interesting because I will be doing another transport mode lab in the next section. Openswan is the linux implementation of IPSEC I decided to use. Configuring the Linux box requires you to install Openswan with distro pkg management and make sure you have ESP support enabled in your kernel(most distros should have this compiled as a module by default). The openswan configuration files are /etc/ipsec.conf and /etc/ipsec.secrets.
Openswan
ipsec.conf
ipsec.secrets
Cisco IOS
Note: If you were to set this up between two cisco devices you would mirror the following configuration.
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
crypto isakmp key yoursecret address 172.16.1.1
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set set-20 esp-aes esp-sha-hmac
mode transport
!
crypto map to-work 20 ipsec-isakmp
set peer 172.16.1.1
set transform-set set-20
match address 170
!
ip access list extended 170
10 permit ip host 172.16.2.2 host 172.16.1.1
!
interface FastEthernet0/0
description WAN
ip address dhcp
ip access-group firewall in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map to-work
D. GRE over IPSEC
In this configuration I am using IPSEC Transport mode again. Using tunnel mode for this would be pointless, and would add another 20 byte IP header to each packet. RIP routes are being exchanged between the two VPN endpoints via the GRE tunnel.
GNS3 Project File
Router configuration files
E. Easy VPN Server
This is a basic configuration for Easy VPN Server. I completed this particular configuration with the Cisco SDM and tested it with the Cisco VPN Client. This lab is an extension of the above GRE Lab. R1 is connected to a Tap interface which is bridged on my Linux box. This gives me full access to the https server and allows me to test the Easy VPN with a client on my Windows VM. ( message me for information about setting up the tap interfaces and bridging )
GNS3 Project File
Router configuration files
4. Security / AAA
Basic router security covered in the ISCW includes auto secure, granular user access control, and AAA. I will go over some of the basic functions included in the auto secure script, and include some labs for setting up AAA with tacacs+. I will provide a sample configuration file for the linux tacacs+ server.
A. AAA with Linux tacacs+ server
This lab will demonstrate the usage of AAA with an external authentication server. Either tacacs or Radius could be used, but I decided to go with tacacs since it is the cisco recommended protocol. Any linux distribution can be used for this exercise, if your distros repository does not include tac_plus, you can install it from source.
Linux server setup:
The setup for the Linux tacacs+ server will be very basic. We will authenticate local unix accounts. More advanced configurations can be used to authenticate against LDAP or Active Directory, but that is another topic. I should mention that its helpful to run tcp **** on port 49 and increase the debug level when running tac_plus for the first time, this will help you catch any errors..
Once tacacs+ is installed (see above link for download), you can simply start the service by running:
tac_plus -C /etc/tac_plus.conf (your config file can be anywhere, just make sure to specify the correct path)
example config:
tac_plus.conf
AAA Configuration in IOS:
aaa-new model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
tacacs-server host 172.16.0.3 key ciscokey
Very intuitive configuration here. AAA is setup in such a way that users are first authenticated by the tacacs+ server, if unreachable try the local user database. The same thing for enable. This is obviously important because otherwise if you lose connectivity to your tacacs server you'll be locked out of your router/switch.
This is it for the labs. Everything else on the ISCW is Firewall, Security, and IPS technologies. I highly suggest learning the SDM for these security practices. Of course you should also know these functions by command line, however this exam does have any emphasis on the SDM.
Comments
-
cdad2000 Member Posts: 323Yuriz,
Im glad you took matters into your own hands. I'm in the same boat as you w/ ISCW. So I'll be watching this thread closely. Hopefully, I could add some useful information. -
yuriz43 Member Posts: 121Any information you could add would be great. Also let me know if I write something that is incorrect.
Just as an update:
I spent a lot of time working on the MPLS labs last night. As for the scope of the ISCW they are probably way overkill, but it is such a cool technology! All GNS3 project files and router configurations have been included. -
jeanathan Member Posts: 163yuriz43 thank you for posting the pppoe pppoa info; understanding the ISP side has been evading me, but those configs/info have cleared it up.Struggling through the re-certification process after 2 years of no OJT for the CCNP.
-
yuriz43 Member Posts: 121Added IPSEC labs. Included Openswan configurations. GRE over IPSEC lab is coming next.
-
APA Member Posts: 959Good stuff Yuriz
Ah I remember sitting ISCW.... and your MPLS stuff is great... when you're studying there is no such thing as too much info!
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
yuriz43 Member Posts: 121GRE lab is complete. Also added an Easyvpn server lab. There wont be too much for labs with security, ( except for AAA). Firewall and IDS will be last.
-
yuriz43 Member Posts: 121AAA Linux / tacacs+ lab is complete.
If you don't have a linux box I suggest trying the Cisco ACS for Windows, which includes a tacacs server amongst other cool services. -
yuriz43 Member Posts: 121I passed the ISCW today.
I'll continue checking this thread form time to time, if anybody has any questions about my labs or GNS3 let me know! -
gorebrush Member Posts: 2,743 ■■■■■■■□□□Congratulations!
I'm hoping to sit the ISCW in the next 6 weeks, these resources look marvellous -
Element926 Member Posts: 36 ■■□□□□□□□□This is great, I'm going to use this labs before I take the test.
-
jeanathan Member Posts: 163Congratulations yuriz43! I took my test on the 18th too, but failed.
Your aaa tacacs+ linux lab is just what I need to help me prepare for round two; many thanks for sharing the informationStruggling through the re-certification process after 2 years of no OJT for the CCNP. -
yuriz43 Member Posts: 121For anybody doing the AAA Lab, a really fun thing to do is configure tacacs+ to authenticate against Active Directory. There are more than one ways to do this, but the simplest ( with linux ), is to use Winbind & PAM. These instructions are in the main page.
Also, some AAA authorization configurations to limit users to certain commands! -
netn3rd Member Posts: 19 ■□□□□□□□□□I'm just starting on my ISCW prep. How did you practice the DSL stuff? Or did you just memorize commands? Just wondering how people approach the stuff that can't be done with dynamips...
-
yuriz43 Member Posts: 121I'm just starting on my ISCW prep. How did you practice the DSL stuff? Or did you just memorize commands? Just wondering how people approach the stuff that can't be done with dynamips...
I used the labs above. All of which can be done with dynamips. The PPPoE lab is a bit of a hack, but it allows you to understand the concepts and commands required for PPPoE. In a real world situation, you would most likely use a WIC-ADSL module, and configure PPPoE on your atm interface directly ( dynamips wont allow you to do this ).