My CCIE Security (thread)

2»

Comments

  • KrekenKreken Member Posts: 284
    I am going through Z2H lab workbook and I build and troubleshoot my own. I don't build them to be extensive so one topology could be used for everything; I break it down by specific topics so it's easier and quicker to setup. I would recommend to try and build your own at least a couple of times. After a while, you realize there is only so many ways you can break it as a traffic still needs to get through.

    I don't think it's possible to do v4 after 30th January. That's why I scheduled my for early December so if I fail, I could still try to get in one more attempt after 30 days wait time.
  • KrekenKreken Member Posts: 284
    I accidentally dropped on the blog of one our forums goers, ccie14023. I couldn't stop reading. Highly recommend.

    In one of his articles, Multiple CCIE’s, multiple attempts | SubnetZero, he talks about his attempts and preparations for the security lab. He also created his own lab scenarios and didn't really use a workbook. Reading that gave me a little boost in confidence that there are other people who prepared the same way as I do and passed the exam.

    His suggestion to use block diagrams to memorize IPsec configuration is spot on. I have a mental checklist that I go through to help me with the config but I will follow his suggestion and create one for EZVPN. Something called EZVPN shouldn't be that overly long and complicated.
  • ccie14023ccie14023 Member Posts: 183
    Kreken wrote: »
    I accidentally dropped on the blog of one our forums goers, ccie14023. I couldn't stop reading. Highly recommend.
    Thanks for the kind words. I was hoping to provide a little inspiration for those who are working on this test. I remember how much that mattered to me when I was preparing for it. I've been working on the last post ("The Value of a CCIE") for months now. I've been working at Cisco for a year now as a Principal TME working on switching programmability/automation, so I think I have some interesting contributions to this perennial question. Supposedly we are in a software world and CLI will go away, and the CCIE will be worthless. I've been putting a lot of thought into it, so you'll have to wait to see my answer. Meanwhile I still need to clean up the posts a bit. Unfortunately I linked to groupstudy.com threads in several of the articles, but they've gone off-line. There were some really classic posts in there (like Bruce Caslow's reaction to the "new" one-day exam) which I hope are not lost forever. I should have grabbed the text instead of linking. Ah well. As for EZVPN... Man I got killed on all the IPSec configs and realized I needed a new way to visualize them. And I agree, from day one I noticed there was nothing EZ about EZVPN. Every exam is different, however, and I used none of those techniques when I took the JNCIE in 2014. It's always an adventure. Anyway, the link to the whole series is here: 10 years a CCIE | SubnetZero Thanks again.
  • Emporio ArmaniEmporio Armani Member Posts: 6 ■□□□□□□□□□
    krekken,

    Thank you for citing ccie14023's blog. I spoke to my boss yesterday and he said I can go for the v4 written and lab exams . If I take the written on Nov. 18, I'll have one shot at a re-take in December. Should I pass in December, I'll have one shot at the lab before it changes to v5. I'll be essentially preparing for the lab and written at the same time. Based on your write-ups and ccie14023's blog, a home, always on lab versus rack rentals sounds like the best setup. The Z2H pod is not quite there yet to lab all the topics. Unfortunately, I don't have the home lab built so I'll need to build it on the fly in the order of topics being labbed.

    ccie14023,

    Your blog is indeed inspirational. The switch from Voice to Security was a real twist. I appreciate the block diagrams as well to visualize the IPsec setup process. Reminds me of the diagrams in the Richard Stevens TCP/IP Illustrated book.
  • mbarrettmbarrett Member Posts: 397 ■■■□□□□□□□
    ccie14023 wrote: »
    Anyway, the link to the whole series is here: 10 years a CCIE | SubnetZero Thanks again.
    Thanks for the link to your blog - very interesting read. Nice walk back in time.
    Unfortunately I linked to groupstudy.com threads in several of the articles, but they've gone off-line. There were some really classic posts in there (like Bruce Caslow's reaction to the "new" one-day exam) which I hope are not lost forever. I should have grabbed the text instead of linking.
    I noticed that as well. The internet archive has much of that site cached, I didn't find specific mailing list posts though - maybe I just didn't look far enough.
  • KrekenKreken Member Posts: 284
    @ccie14023, thank you for stopping by. The story A CCIE Goes Home to Cisco | SubnetZero is great. It reminded me of my interview for the previous job. The interviewer was a CCIE and it was done in a troubleshooting style. For each question, I had to give five/six answers. It wasn't very long but it was brutal. By the time I got home, I had an offer in my email. To this day, passing that interview feels like an accomplishment.

    @emporio armani, that is an aggressive schedule. I wish you luck. About the lab... I built the lab on a server but most of the time I don't use it. I do everything on my desktop (i5 w/12GB RAM) at work. I run ISE, WSA and WLC in VMware player. I use a small 3560 on my desk and the rest, routers for VPNs and ASAs are in GNS3. It shouldn't take more than a couple of hours to get everything setup.
  • fumanchufumanchu Member Posts: 24 ■□□□□□□□□□
    Hi;

    I have my Sec v4 lab scheduled for Jan 2017. I will have one shot at it before V5 takes over. Will CCIE Sec v4 written qualify for v5 lab?

    Thanks,
    Fumanchu
  • Emporio ArmaniEmporio Armani Member Posts: 6 ■□□□□□□□□□
    @fumanchu, yes the Sec v4 written will qualify for the v5 lab. A Cisco Learning Network Moderator on this thread in the Cisco CCIE Security Study Group also confirms you can take the v5 lab with a v4 written pass. I may end up taking the v4 written and v5 lab.
  • Emporio ArmaniEmporio Armani Member Posts: 6 ■□□□□□□□□□
    fumanchu, yes the Sec v4 written will qualify you for the v5 lab. I may end up taking the v4 written and v5 lab.
  • fumanchufumanchu Member Posts: 24 ■□□□□□□□□□
    Thank you Emporio.
  • KrekenKreken Member Posts: 284
    I just found there is a command in ASA to help you configure VPNs - it lists required steps. IKEv1 only but still.

    ciscoasa(config)# vpnsetup ?

    configure mode commands/options:
    ipsec-remote-access Display IPSec Remote Access Configuration Commands
    l2tp-remote-access Display L2TP/IPSec Configuration Commands
    site-to-site Display IPSec Site-to-Site Configuration Commands
    ssl-remote-access Display SSL Remote Access Configuration Commands
    ciscoasa(config)# vpnsetup ipsec-remote-access ?

    configure mode commands/options:
    steps Display VPN Setup Commands
    ciscoasa(config)# vpnsetup ipsec-remote-access

    ciscoasa(config)# vpnsetup ipsec-remote-access steps

    Steps to configure a remote access IKE/IPSec connection with examples:

    1. Configure Interfaces

    interface GigabitEthernet0/0
    ip address 10.10.4.200 255.255.255.0
    nameif outside
    no shutdown

    interface GigabitEthernet0/1
    ip address 192.168.0.20 255.255.255.0
    nameif inside
    no shutdown

    2. Configure ISAKMP policy

    crypto isakmp policy 65535
    authentication pre-share
    encryption aes
    hash sha

    3. Setup an address pool

    ip local pool client-pool 192.168.1.1-192.168.1.254
    <--- More --->
    etc

    Edit: it is available only in the config mode.
  • KrekenKreken Member Posts: 284
    It looks like I will get only one attempt at v4 in December. If I fail, I will have to do v5. I've been checking the lab scheduling tool and there is only one date open now for January which could work for me in RTP and none in San Jose.
  • KrekenKreken Member Posts: 284
    2.5 weeks left to practice. With the class cancelled on Saturday, it will give me more time to lab VPNs. I think I might have to use Product & Technology site to look up commands for EZVPN.

    Anxiety has been building up and I hope during the exam I won't be a nervous wreck.
  • KrekenKreken Member Posts: 284
    tl;dr version
    I failed the lab. Lesson: manage your anxiety better.

    long version
    My flight to NC was uneventful. Upon arrival, I got my rental car and drove to the hotel I was staying in, Comfort Suites. After checking in, I went out to get a dinner; came back and reviewed a little before heading to bed at 9:30pm.

    I was so nervous about the exam, I couldn't fall asleep. With each passing hour, I was getting more anxious because I knew the lack of sleep will have a negative effect on my performance on the lab. My mind was running in this closed circle and I felt like I was slowly loosing it staring at the ceiling. 6AM came and I barely slept. My mind was foggy and I felt exhausted. I went downstairs for the breakfast and could barely force down half a cup of coffee.

    At 7AM, I was at building 3 in Cisco campus. Me and other candidates waited for the proctor to come in and let us into the lab. When he arrived and checked us for electronic devices, we were allowed to sit down at assigned desks and start the exam. Due to sleepless night and anxiety, I could barely think. The section which should have taken me no longer than an hour to complete, took me about two and half.

    My head finally cleared up a little at lunch time and I was able to take a clear look at the lab. By 2PM, I realized there is no way I will be able to finish the tasks and fix the mistakes I did in the first four hours. At that exact moment, I found my inner peace again which was missing for a long time. It was over, not with a desirable result but it was finally over. I would have left at that time but didn't want to hang out at the airport for six hours. So I stayed and did what I could do in the time still left. When the email arrived, it was no surprise I didn't pass.

    My only gripe about the lab is interface. I found it to be annoying with the console screens "always on top" enabled. You can't just highlight and right click like in putty too. You have to select "paste" option. Small things but they do slow you down a little.

    Looking back at the lab right now, if I would have been feeling like I felt today in the morning, I believe I would have a good chance of passing it. There wasn't really anything that I didn't know or was new. Although, there were a couple of issues I was troubleshooting that made me go "wtf".

    If I knew that my anxiety would spiral out of control the night before, I would have taken either some sleeping aid pills or drank a bit of cognac. Lesson learned the hard way.

    I am definitely going back for another try. Most likely it will be for the new v5, since all spots are already taken for v4, and around May-June time frame. For now, I will take a short break from studying, read some design books I wanted to and maybe go on a vacation.

    Cheers. Thanks for reading.
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Sorry to hear about your loss. That sucks icon_sad.gif If it makes you feel better, the first time I attempted the lab, I spent the weekend in San Jose getting a massage, spa treatment, and the whole works. I slept 8 hours before the test which is 4 more than I usually do and glided into the lab with perfect zen. 8 hours later, I failed by about 1 point. Second time I attempted the lab, I didn't get to take any time off of work prior to that lab, I was working until the moment I got off the phone, and was up until 1AM the night before. I ended up going into the lab with the same amount of sleep as I usually got before I started labbing and I was at my usual stress level and somehow I pulled off a pass. For me, I think the conditions should be as close to how you usually are labbing when you're at home - same level of sleep, pick up a K120 Logitech keyboard or Dell keyboard (depends on the spot you sit in the lab but they're mostly K120s worldwide), get used to arranging your putty windows to match topology when labbing.

    Other general recommendations I can make:
    - Learn to love notepad. It's a great way to spot check your config before you copy/paste, if you copy/paste into the wrong device you have a quick easy config written out to back out, and a lot of the exam might have you doing similar configs which you can easily copy from there
    - Each task, open just the putty windows you need for that section and arrange it like the topology. I liked having the topology up on one window and my putty sessions on the other window so I could correlate
    - You can't know everything but know where to find the important stuff quickly in DocsCD in the event you have a brain fart
    - "Don't knock on the glass. It's not a summoning portal" - LoL
    - Always hug the proctor on the way out the door. It's good luck :)

    If you do plan on going for the v5 lab, keep me in the loop. We might end up going around the same time.

    My recommendation is also to go to NC the next time you attempt as well. David Blair is sarcastic but at least he does take some of the stress off and he communicates with you. When I went to San Jose for my first attempt, I didn't get any info. The proctor wouldn't even say if they would grade the lab or someone else would. David could seem off-putting to someone really nervous but I get the sense he really wants people to pass and he tries to help in the ways he can without breaking NDA or holding your hand or helping you actually pass the test.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • KrekenKreken Member Posts: 284
    Thanks Iris.

    - Each task, open just the putty windows you need for that section and arrange it like the topology. I liked having the topology up on one window and my putty sessions on the other window so I could correlate

    This is a great advice. Much better than the mess I had on my desktop with everything open.

    - "Don't knock on the glass. It's not a summoning portal" - LoL

    Don't wave to David either. I missed that part so we ended up waving to each other through the glass. hah.
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Hahahaha. David is a really good guy. Next time you go through there, tell him Katherine says hi. He's supposed to do a Webex session with some folks in our study group on "what you need to know before you go into the lab" with some really good logistical advice. I'll record and send you a link
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • ccie14023ccie14023 Member Posts: 183
    Many of us have been there.

    CCIE R/S: Didn't sleep either, but managed to pass in one attempt. Don't worry about not sleeping. It's better to be rested of course, but you can do it with no sleep if you have to. Worrying about it just makes it worse.

    CCIE Sec: Three attempts. First time was crash and burn, second time almost made it. Third time was easy.

    JNCIE SP: First time I realized I failed within the first hour. Yeah, you get some peace at that point, but not a good peace. The whole lab was based on one thing that I just couldn't figure out. Second time I passed.

    Point is, you fail and get back on the horse.

    Although I took Security nearly 10 years ago, one thing I always recommend is finding out what setup they will give you in the lab. That, AFAIK, is not under NDA. When I did JNCIE a couple years ago, I got killed because I use a Mac and they had a PC with SecureCRT. I was messing up copying/pasting. That wasn't what failed me, but you can be sure I got a Windows VM on my Mac and played with SecureCRT a bit before I did my second attempt.
  • KrekenKreken Member Posts: 284
    Thank you. Next time it will be different, I hope. The exam will not have a version change for a while so I wouldn't feel the same kind of pressure.
  • KrekenKreken Member Posts: 284
    I was looking up information about inter-site ASA cluster yesterday and came upon Iris's networking fun blog. I was like, hey, I haven't been to techexams in a while. Anyway, on to status update.

    Some things I have hoped for didn't come through or came through not the way I expected in the new year. My current contract was extended by one more year so that's good. I started my own company and became Cisco partner. In the past few months I had to learn AWS to setup my infrastructure instead of renting a rack in a colo and learn a lot about 802.11. The company development process is slow and time consuming. If it starts going strong one day, than hopefully, I will switch to work for myself full time.

    You have one year after the first lab to try second time or your written will expire. I started reviewing two weeks ago and currently planning on late September/early October dates for the second attempt; haven't decided either NC or CA locations. Does anybody know how much it costs to reschedule the lab date if you already payed and it is less than three months left?
  • KrekenKreken Member Posts: 284
    To answer my own question. If you are within 90 days and want to reschedule the lab: 90 to 45 days - the fee is $350, 44 to 2 days - $500.
  • KrekenKreken Member Posts: 284
    So far reviewed the ASA and Firepower sections of my notes from Z2H class; watched Lab Minutes videos about FTD 6.1 and started going down the list of recommended articles and presentations from Cisco Learning study material (https://learningnetwork.cisco.com/community/certifications/ccie_security/lab_exam/study-material).

    In the first section, Perimeter Security and IPS, I haven't finished watching all presentations but would highly suggest to watch these two so far:
    1. Troubleshooting ASA FirePower. Seriously. This video is a gold nugget.
    https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89936&backBtn=true
    2. ASA Clustering Deep Dive. Very good info and presentation on ASA clustering.
    https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89923&tclass=popup
  • KrekenKreken Member Posts: 284
    This week was VPN review and started reading "IKEv2 IPsec Virtual Private Networks" to catch up on IKEv2 and FlexVPN. My gut tells me FlexVPN is like EZVPN all over again.
  • KrekenKreken Member Posts: 284
    I move through this book with the speed of old people fu... If you are like me, this Cisco Live video talks about the main features covered by the book - https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89288&backBtn=true (1.5 hours). I will still finish the book in due time; just want to finish my review with AAA and infrastructure next week.
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Hey Kreken, that IKEv2 book was pretty hard for me to sit through too. Give the labminutes Flexvpn videos a try and lab it up while watching them.

    Good luck!
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
Sign In or Register to comment.