CCIE Sec Lab Diary - or how to make Ahriakin's brain implode

AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
As a foreward considering how much I've talked about various training products in the later pages I think I need to point out that anything mentioned here is solely my opinion, they are not to be taken as statements of absolute fact but just my thoughts from my own experiences, yours may differ. Also the content in this thread is in no way the responsibility of or a reflection of TechExams....just me, myself and I....okay? :)

____________________

Hi Folks,

I've never gotten into the whole blogging thing (though I have greatly appreciated some of them on here) but was asked I'd mind doing a diary of my preparation for the Security Lab. I doubt these will have the detail and eloquence of Turgon's epic but if anyone else finds something useful in here then it'll have done the job :).

Since I didn't have the forethought to do this from a clear beginning point I'll start off with some background as to me it's very hard to say when the CCIE trek really began - was it with the written exam or with my first attempt at the CCNA?

I did my CCNA in Jan 2006 and the SNRS exam from the CCSP that summer but didn't get decent exposure to a 'real' network until Sept. when I landed my current job (I'll admit it I used them to pad the resume hoping it would help me crossover from Server admin. to Network engineering). I took a bit of a detour on my CCSP track as I still had servers to look after so mixed the MCSE 2k3 exams in with it over and into 2007. I took and passed the CCIE sec. written in March 2008 but again got sidetracked into some other work projects that ate up my study time. I started lab prep'ing properly around mid August and went to the Internetwork Expert Bootcamp in Chicago at the end of Sept. 2008 - moreso to make up for time I had lost to those work projects than from any belief I was ready for the lab and just need some bootcamp polish. Now I've cut work back to 20 hrs a week (I work remotely and have flexible hours) from now until I pass the lab.

My first lab date is November 21st in San Jose and I am just a weeeee bit nervous.


Anyway all of the above either serves as some interesting context or just as a disclaimer for the fact that yes in a lot of ways I am still a Cisco n00b with what many would consider too little experience to give the CCIE Sec. lab it's due and you will see a lot of stupid stupid mistakes made by yours truly in the next few months. But hey, gotta have goals :)
and there's always the luck of the Irish...isn't there?....erm

So on to the first diary thingy part.
We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
«1345678

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Next up I guess the materials I'm using:

    Physical Lab
    3x2620 Routers
    1x3640 Router
    2x2924XL Switches
    1x3550 L3 Switch (12.25SEE)
    1xPIX 515 Firewall (Restricted 7.2)
    1xPIX501 Firewall (Restricted 6.3(5))
    1xASA5505 Firewall (Restricted 8.04)
    1xVPN3005 Concentrator (4.7)

    Dynamips/Dynagen, PEMU = GNS3
    3640 Enterprise + Security image
    PIX 7.2 Unlimited

    The physical routers do not have the hardware to run full security images so their use to me right now is not much beyond simple routing so the majority of my work will (is) being done in GNS3. With that running on 2 PCs and the ability to link out to physical boxes like the VPN3k it's actually not that bad a setup. I'm thinking of trying to create a VM based IPS but I'm not sure the return would be worth the effort since A.I can access the ones at work and B.You can skip them within full labs without affecting any other device/task - not ideal but it's not as bad as not having a PIX or similar missing that does have the ability to affect other tasks.

    Training Materials
    IPexpert Lab Prep Workbook 4.1 + Proctor guide
    IPExpert Sec Lab DVD and Audio course.
    Internetwork Expert Security Lab Workbook Vol 2
    Internetwork Expert Advanced Tech Online course
    CBTNuggets Streaming Subscription
    Most of the books on the recommended reading list (about half paper and the rest on Safari).

    Useful Web locations
    InternetworkExpert Security Blog - http://blog.internetworkexpert.com/category/ccie-security/

    Recommended Cisco DOC Locations
    These are not URLs as that would be useless to you in the lab, but rather navigation guides from the main Cisco DOCs URL of http://www.cisco.com/web/psa/product...configure.html

    PIX/ASA:
    Security - Firewall/Firewall Appliances - Cisco ASA 5500 Series Adaptive Security Appliances - Configuration Guides - Cisco Security Appliance Command Line Configuration Guide, Version 7.2
    ** Beyond the PIX/ASA the Reference section of this guide has an excellent Port/Protocol quickguide that us useful when configuring the other devices aswell.

    Routers:
    The single best source is the 12.4T guide, even though the exam is on 12.2T (and 12.3 also covers 12.2T) the docs for it are harder to find (though listed below) and most of the functions are the same if you know what you're looking for (there are just a lot more features that you won't need for the lab included in 12.4T)

    12.4T :
    Cisco IOS Software - Cisco IOS Release 12.4T family - Cisco IOS Software Releases 12.4T - Configuration Guides
    The Security guide is obvious enough but also take a look through the Addressing, Applications and Routing Protocol guides at least enough to know what they include as they may be needed for ancillary tasks.

    12.2T :
    If you do need a function that has changed between 12.2T and 12.4T (for example the IOS IPS commands) then you have to go a different route as the 12.2 and 12.3 guides listed under Cisco IOS Software - xxxxxxxxxxx are a joke. so instead go to:
    End of Sale and End of Life Products - Cisco IOS Software - Cisco IOS Software Releases 12.2T - Command References (12.3T will do you just aswell as it includes the 12.2T features).

    Personally I recommend you work off the 12.4T guides and memorize anything they don't include, there's not a lot of features it misses and to me the extra memorization is worth less navigation during the lab.


    VPN 3000:
    Another end-of-lifer
    End of Sale and End of Live Products - Security - Cisco VPN 3000 Series Concentrators


    Switches:
    Switches - LAN Switches - Cisco Catalyst 3550 Switches - Configuration Guides - Catalyst 3550 Multilayer Switch Software Configuration Guide, Rel. 12.2(25)SEE


    IPS:
    Security - Intrusion Prevention System IPS / IPS Appliances - Cisco IPS 4200 Series Sensors - Configuration Guides - Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.1
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Labs and Books covered to date



    Labs

    IPExpert Lab Prep Workbook 4.1 1-12 are small single technology labs, 13 onwards are full labs
    1 - ACLs ( x2 - Redone 11/10/08 )
    2 - Network Attacks and Advanced Filtering (x2 - Redone 11/10/2008 )
    3 - GRE and NAT (x2 - Redone 11/15/2008 )
    4 - AAA (x2 - Redone 12/07/2008 )
    5 - PIX Firewall (x2 - Redone 12/07/2008 )
    6 - PIX/ASA (x2 - Redone 12/13/2008 )
    7A - IPSec (x2 - Redone 12/26/2008 )
    7B - DMVPN / EZVPN (x2 - Redone 12/19/2008 )
    8 - VPN Concentrator
    9 - Switching (x2 - Redone 12/28/2008 )
    10 - IDS/IPS (12/28/2008 )
    11 - Router Management and IOS Application Services
    12 - NAC
    13 - Multiprotocol Challenge A (12/17/2008 )
    14 - Multiprotocol Challenge B (12/19/2008 )
    15 - Multiprotocol Challenge C (12/22/2008 - half)
    16 - Multiprotocol Challenge D (01/02/2009 )
    17 - Multiprotocol Challenge E (01/04/2009)
    18 - Multiprotocol Challenge F (01/09/2009)


    Internetworkexpert Workbook Vol II Full 8 hour labs, In order of completion
    Lab 5 (Difficulty 5/10)
    Lab 1 (Difficulty 6/10)
    Lab 2 (Difficulty 6/10)
    Lab 4 (Difficulty 7/10)
    Lab 6 (Difficulty 7/10)
    Lab 8 (Difficulty 7/10)
    Lab 9 (Difficulty 7/10)
    Lab 3 (Difficulty 8/10)
    Lab 7 (Difficulty 8/10)
    Lab 10 (Difficulty 9/10)


    Books on the reading list
    On page 7 of this thread I was asked about how I rated the official reading list, so I'm posting my own notes here. I keep a spreadsheet of how many times I've been over them, and how relevant I'd rate them. Like the labs above this will be an evolving list that I'll edit as I go. The 'relevance' score is based not just on book quality but also how directly the content helps the lab candidate - it may be a great book on VPNs in general but cover more areas than the Lab blueprint and not enough detail on the sections you need for it so it would get a low relevance score. Also remember the mileage you get from any book depends on your own experience levels.



    Cisco Press Titles

    * Advanced Host Intrusion Prevention with CSA (Asher, Mauvais, Sullivan, ISBN# 1587052520)
    Relevance = 5
    I read this for the written. A good book for CSA itself and for the written but of little use for the Lab.

    * CCIE Practical Studies: Security (CCIE Self-Study) (Bokotey, Mason, Morrow, ISBN# 1587051109)
    Relevance = 8
    While based on the 1.0 blueprint and older PIX software in particular it's still a good book for what it covers, and a very good compilation of Router/Switch security data.

    * CCIE Security Exam Certification Guide (CCIE Self-Study), 2nd Edition (Benjamin, ISBN: 1587201356)
    Relevance = 5
    A decent start book for the Written it doesn't have enough detail on it's own for that exam and definitely not for the Lab

    * CCIE Security Practice Labs (CCIE Self-Study) (Bhaiji, ISBN# 1587051346)
    I haven't been through this one, and probably won't since it was easier to work with the IPexpert/IEWB workbooks. I don't have enough home lab equipment to do this one justice.

    * CCSP IPS Exam Certification Guide (Carter, ISBN# 1587201461)
    Relevance = 8
    Probably your single best source of IPS info. (short of the Docs). A decent if very dry book, unfortunately there's nothing more detailed out there.

    * Cisco Access Control Security: AAA Administration Services (Carroll, ISBN# 1587051249)
    Relevance = 7
    The best ACS Server source but it covers a lot more than you can realistically need for the lab. Also I would have liked more examples and dual configs of everything where differences lie between Radius and TACACS+ for certain functions.

    * Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance (Frahim, Santos, ISBN# 1587052091)
    Relevance = 8
    A very good ASA book in general but the last 25% or so covers the ASDM, which in real life is not bad to have but for the lab it's wasted. Also it could have gone into more detail in some areas.

    * Cisco ASA and PIX Firewall Handbook (Hucaby, ISBN# 1587051583)
    Relevance = 9
    Probably the best real-world book for the PIX/ASA. It doesn't cover the add on modules as well as the ASA All-in-one (above) but always includes the configs for 6.x up for each example. The 2nd edition is the one to get as MPF structure changed a great deal between 7.01 (which the first edition covers) 7.2 + (Which the 2nd edition covers). It is the single best source for MPF I've seen.
    You wouldn't absolutely need the ASA All-in-one aswell as this one, but again to cover the expansion modules a bit better it helps.

    * Cisco Network Security Troubleshooting Handbook (Hoda, ISBN# 1587051893)
    Relevance = 10
    An absolute essential for the Lab (and very good for the written). Great depth on configuration and troubleshooting almost all core network security technologies

    * Cisco Router Firewall Security (Deal, ISBN# 1587051753)
    Relevance = 9
    The single best source for Router security. I love Richard Deals writing style and the content is spot on.

    * Cisco Security Agent (Sullivan, ISBN# 1587052059)
    Relevance = 3
    Another I read for the written that doesn't have an awful lot of use on the lab

    * Comparing, Designing, and Deploying VPNs (Lewis, ISBN# 1587051796)
    Relevance = 3
    A good book in it's own right but it covers MPLS and other technologies that you don't need. The IPsec section is just too short is covered in more detail in other books on this list. If you read the other more relevant VPN guides here you can ignore this one (imho)

    * Designing Network Security, Second Edition (Kaeo, ISBN# 1587051176)
    Haven't read it yet

    * Intrusion Prevention Fundamentals (Carter, Hogue, ISBN# 1587052393)
    Relevance = 2
    I read this for the CCSP IPS exam and even for that it wasn't great. Co-Authored by the same guy who wrote the exam guide there's not much you'll get from this that you won't (and more) from the exam guide. Worth a read if you're completely new to IDS/IPS technology in general but that's it.

    * IPSec VPN Design (Bollapragada, Khalid, Wainner, ISBN# 1587051117)
    Haven't read it yet.

    * Network Security Architectures (Convery, ISBN# 158705115X)
    I read this a few years back and haven't a strong enough memory of it to fairly rate it.

    * Network Security Fundamentals (De Laet, Schauwers, ISBN# 1587051672)
    Relevance = 4
    A good intro guide, I read this one for the CCSP SND exam. Too basic for the CCIE Sec. though. Worth a read if you haven't been through it before, it just doesn't have a lot of depth.

    * Network Security Principles and Practices (Malik, ISBN# 1587050250)
    Haven't read it yet

    * Penetration Testing and Network Defense (Newman, Whitaker, ISBN# 1587052083)
    Haven't read it yet

    * Routing TCP/IP, Volume I, Second Edition (Carroll, Doyle, ISBN# 1587052024)
    Relevance = 7
    A very good R&S book, and a bible to many. While you do need a good understanding of R&S, certainly better than CCSP level this one goes into more than you will need. Worth a read and definitely use it to get the foundations down for Redistribution, filtering routes and the basics of BGP but don't kill yourself trying to memorize the whole thing.

    * Routing TCP/IP, Volume 2 (Doyle, DeHaven Carroll, ISBN# 1578700892)
    Haven't read it yet.

    * Securing Your Business with Cisco ASA and PIX Firewalls (Abelar, ISBN# 158705214icon_cool.gif
    Relevance = 1
    If you were new to the PIX/ASA and needed to configure one quickly then this would be for you....BUT... it's all based on the ASDM so completely useless for the Lab.

    * The Complete Cisco VPN Configuration Guide (Deal, ISBN# 1587052040)
    Relevance = 9
    To me this is your Cisco VPN 'Desert Island' book. It covers VPNs across all appliance types, in excellent detail and with Deal's usual great and easy style.

    * Troubleshooting Virtual Private Networks (VPN) (Lewis, ISBN# 1587051044)
    Relevance = 7
    A good book but it scores lower because it covers a great deal more than the blueprint topics. The relevant sections are worth a read though but it's all covered in the other titles I've listed.

    * Troubleshooting IP Routing Protocols (Aziz, Liu, Martey, Shamim, ISBN# 1587050196)
    Relevance = 7
    An excellent book, it covers exactly what you'd expect from the title. It only scores a 7 as the depth of routing is a bit beyond what you need for the lab. Still I recommend a read, and it's well worth keeping for real-world stuff.

    * Router Security Strategies: Securing IP Network Traffic Planes (Schudel, Smith, ISBN# 1587053365)
    Relevance 6
    I actually read this after the lab, I'm only adding this now as I was editing some of the ones above and spotted it here. It's a superb book on how to defend the Router itself. Gregg Schudel is Cisco's god of CoPP, if you've read any CoPP or CPPr whitepapers chances are he authored them. But Control Plane protection is not heavily covered in the lab. Still for real world I'd add this to the essential list.

    * Network Security Technologies and Solutions (Bhaiji, ISBN# 1587052466)
    Haven't read it yet.


    Other Publications

    * Cisco Security Architectures (Held and Hundley, McGraw Hill, ISBN# B00005UMKL)
    Relevance = 3
    Another good starter book but no configuration depth and it's topics are covered in many other more relevant titles.

    * Firewalls and Internet Security, Second Edition (Cheswick, Bellovin, and Rubin, Addison-Wesley, ISBN# 020163466X)
    Haven't read it yet

    * Internetworking with TCP/IP Volume I: Principles, Protocols, and Architecture (4th Edition) (Comer and Stevens, Prentice Hall, ISBN# 0130183806)
    Haven't read it yet

    * Internet Security Protocols : Protecting IP Traffic (Black, Prentice Hall, ISBN# 0130142492)
    Relevance = 8
    Not specific to Cisco but this short book covers a lot of the technology theory in depth that the Cisco books don't, it answered some questions I had like why the Cisco VPN client uses aggressive mode with pre-shared keys, niggly little questions that while not specifically good for the lab might quiet a few voices in the old head about the technology.

    * IPSec: The New Security Standard for the Internet, Intranet and Virtual Private Networks (Doraswamy and Harkins, Prentice Hall, ISBN# 013046189X)
    Haven't read it yet

    * ISDN : Concepts, Facilities, and Services (Kessler and Southwick, McGraw Hill, ISBN# 0070342490)
    Relevance = 0
    It's not on the blueprint anymore, a huge book I was happy to leave on the shelf...

    * Network Security: Private Communication in a Public World, Second Edition (Kaufman, Perlman, Speciner, Prentice Hall, ISBN# 0130460192)
    Haven't read it yet

    * The Protocols (TCP/IP Illustrated : Volume 1)(Stevens, Addison Wesley, ISBN# 0201633469)
    Relevance = 8
    Another IP 'bible' title. While not specific to any one technology or even security itself it provides a very low-level look at TCP/IP that ultimately applies to everything you do.

    * The Implementation (TCP/IP Illustrated : Volume 2) (Stevens and Wright, Addison Wesley, ISBN# 020163354X)
    Relevance = 3
    Had a quick scan and didn't think this one would help too much. I would like to go back to it though after the Lab

    * TCP for Transactions, HTTP, NNTP, and the UNIX(R) Domain Protocols (TCP/IP Illustrated : Volume 3) (Stevens, Addison Wesley, ISBN# 0201634953)
    Haven't read it yet
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    So today's actual Diary:

    I re-read the Cisco Press CCIE Security Exam guide again....and kinda regretted it. It's a decent book for the written (only as a quick guide it doesn't have a fraction of the depth it needs even for that exam, but then no one book could...hence the rather large reading list Cisco recommend :) ). Its gone into the bottom of my bookshelf and I think it's going to stay there....which is not a bad thing since by bookshelf I mean cluster of book holding boxes stacked under my desk, so one more I know I won't have to dig out is a plus. During the car trip back from the bootcamp I re-read the Network Security Troubleshooting Handbook and can't recommend it enough. I think at this stage it will be the single most valuable source I have. You would want to already have covered the technologies/appliances to the point where you understand their operation very well before touching this one as it does not spend a lot of time on explanations but it does include a couple of very valuable tips and tricks you won't find (or at least I haven't) anywhere else. Since a large part of the Security lab essentially involves you first breaking communications and then filtering it precisely you will need to really hone your debug skills and this book is absolutely perfect for doing that.

    I did the IPExpert PIX lab, section 5 this afternoon. It's a 5 router and 1 PIX lab covering the basics of setting up interfaces, routing (both incorporating the PIX and going through it), ACLs, Object groups etc. Target time is 3 hours and I went 5 mins over, mainly as there were a LOT of small tasks I spent a lot of time removing previous task entries (esp. for the routing sections). I'd say I knew about 85% or so off hand (a great deal of that thanks to the Bootcamp) and got the other 10% from the online Cisco Docs and the remaining 5% from the proctor guide. My main problems were with the BGP configuration (I really need to work on R&S - though I did remember how to clear it through the PIX, even that nice way that by default it will mess up MD5 auth - that one was an Online Docs. run...so it wasnt a complete failure..), and setting up a GRE tunnel across the PIX between 2 of the routers, I got the destination addresses completely messed up by not taking NAT into account icon_rolleyes.gif . Still again the bootcamp training came through in that I remembered there is always more to the config than the question implies, yes you might have configured your routing protocols properly but did you remember to also create the ACL entries to let them through? Simple stuff that is easy (for me) to miss when I get stuck into it.
    I really need to change typing modes too. I'm so used to speed typing and letting the spellchecker pick up the pieces that I'm making WAY too many typing mistakes. On most commands it will let you know but my worst is access-list names, you get no warning your entry just goes off into ACL heaven and you wonder why it still doesn't work ( damn you "outside-ing"!!!! .

    All in all I think this afternoon's lab-let went well. I'll be revisting GRE later in the workbook anyway so I'm not too worried about that section. As for the R&S problems I'm slowly going over the CBTnuggets BCSI videos to get a better handle on it - OSPF and RIP I'm fine with, but EIGRP advanced functions needs a but more work and BGP lots.

    So, hopefully later tonight I'll do Section 6, advanced PIX/ASA.





    Asleep yet?
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Its good to have a look at someone's progress towards the CCIE Sec. I look forward to reading through your posts.

    Good luck on the lab!
    An expert is a man who has made all the mistakes which can be made.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Ditto. Thanks for taking the time to do this.
  • GT-RobGT-Rob Member Posts: 1,090
    Also look forward to hearing out things go. November is not far away!
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    After taking out some stress on TF2 I headed back to do IPexpert lab Section 6 - PIX/ASA. This one was made up of 2 distinct, though small, topologies - a 4 router/2 ASA section primarily for testing failover and multiple contexts and a 2 router/1 PIX section for Transparent Firewall.
    I dutifully loaded all instances up in GNS3 and got to work configuring the routers. I normally do the base topology for each lab (modifying as needed for the GNS3 layout vs. their ideal), save and exit then Zip the whole project folder up so I can easily go back to it fresh, in this case since the Firewall config was the main point of the lab I left them until last. So, Routers all configured and I hit Save....and wait....and watch that nice hourglass of doom mock me from it's sanctuary inside the monitor...well maybe it didn't care that much but it seemed like it at the time. The router consoles were still responsive so I decided to get to work anyway on the Transparent firewall section and didn't worry about not being able to save the configs. Stupid. The actual configuration of the PIX was easy enough but the routing protocol adjacencies kept flapping and response was terrible. I think a total of 6 Routers and 3 PIX instances were a bit too much for my machine. I had to kill the Dynamips processes and start from scratch. This time I left the Transparent Firewall section off, I know I had it configured correctly already and everything went much smoother, though I did copy/paste the router configs manually to a text file just in case before hitting the GNS3 save.

    The goals of the main section were to configure the 2 ASAs with 2 contexts, with the 4 routers arranged in pairs off of each context's Inside/outside interfaces. It was definitely one of those questions you absolutely had to read fully beforehand, not that it was overly complex but you need to know that the final task will be to enable Active/Active Failover between the ASAs - the rest of the tasks don't make much sense without that little nugget of info so it would be hard to miss but still the less confusion the better. I tend to rush ahead with these things so this was actually good training to slow down and stop making assumptions about the questions. Failover is one section I know I will be relying on the Docs for - I know how it works, I know the different modes etc. but the config is very easy to mess up and even the slightest mistake might not yield an error message but you just won't get the 2 devices talking. Case in point being the 7.2 docs don't tell you to run the 'failover link' command on the 2ndary device as they do for the primary yet it won't 'mate' with the partner device without it. Anyway simply comparing the 'sh run failover' output on both devices showed that one up pretty easily and once it was added they started talking properly. I followed the advice Brian gave at the bootcamp and configured my first device as Active for both Failover groups and only switched it properly to Active-Primary Standby-Secondary at the end, this avoids you having to worry about which context you need to be in on which device to correctly make changes, you make them all on your first unit until the end - it has no bearing on functionality during the lab to leave one device as Active for both contexts. The routers were only there for testing connectivity across the contexts with ICMP on one (and a subtask of setting up TCP normalization of check-sums) and the more problematic BGP routing on the other (as I mentioned above PIX/ASA 7.2 destroys BGP MD5 Authentication and you need to tell it not to clear option 19 or randomize the packet sequence numbers through a TCP-MAP applied through a Policy-map).

    This one I'd say I hit 60% or so from memory and 35% from the online Docs, last 5% from the Proctor book (I forgot to apply the BGP/MD5 auth correcting policy-map to the actual interfaces icon_rolleyes.gif like I said in the disclaimer at the start I will (and did) make some stupid mistakes....)
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    Ahriakin wrote:
    Hi Folks,

    I've never gotten into the whole blogging thing (though I have greatly appreciated some of them on here) but was asked I'd mind doing a diary of my preparation for the Security Lab. I doubt these will have the detail and eloquence of Turgon's epic but if anyone else finds something useful in here then it'll have done the job :).

    Since I didn't have the forethought to do this from a clear beginning point I'll start off with some background as to me it's very hard to say when the CCIE trek really began - was it with the written exam or with my first attempt at the CCNA?

    I did my CCNA in Jan 2006 and the SNRS exam from the CCSP that summer but didn't get real exposure to the a 'real' network until Sept. when I landed my current job (I'll admit it I used them to pad the resume hoping it would help me crossover from Server admin. to Network engineering). I took a bit of a detour on my CCSP track as I still had servers to look after so mixed the MCSE 2k3 exams in with it over and into 2007. I took and passed the CCIE sec. written in March 2008 but again got sidetracked into some other work projects that ate up my study time. I started lab prep'ing properly around mid August and went to the Internetwork Expert Bootcamp in Chicago at the end of Sept. 2008 - moreso to make up for time I had lost to those work projects than from any belief I was ready for the lab and just need some bootcamp polish. Now I've cut work back to 20 hrs a week (I work remotely and have flexible hours) from now until I pass the lab.

    My first lab date is November 21st in San Jose and I am just a weeeee bit nervous.


    Anyway all of the above either serves as some interesting context or just as a disclaimer for the fact that yes in a lot of ways I am still a Cisco n00b with what many would consider too little experience to give the CCIE Sec. lab it's due and you will see a lot of stupid stupid mistakes made by yours truly in the next few months. But hey, gotta have goals :)
    and there's always the luck of the Irish...isn't there?....erm

    So on to the first diary thingy part.

    Good luck with all that. It's certainly a slog getting through labs. Reminds me of Ice Road Truckers and all those loads they had to do in a season.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Thanks Turgon. Getting the discipline to keep at it for hours is not as bad as I thought it would be, though that might change when I hit the full scale labs. So far it's been enjoyable, I pop on the headphones and zone out into geekdom, It's one time the wife doesn't mind me ignoring her ;).

    Studywise today was CBTnuggets SNRS (and update modules) on ACS, DMVPN and IPSec with Certificates.

    I finished up IPExpert section 7-A - IPSec earlier this evening. It was rated at 3 hours but I think I got through it in about 80 mins or so. IPSec is one of my strongest areas so this one was 100% from memory. The lab was a simple layout of 4 routers and 1 PIX : 2 Routers on the outside ethernet segment, 1 trunked through a subinterface on the PIX and the last on the inside ethernet segment. There was a mix of direct Router-Router, Router-PIX and Router-Router through the PIX tunnels to encapsulate different types of traffic from various interfaces/loopbacks. I ran into one issue with encapsulating the GRE tunnel between the 2 directly connected routers on the outside - the GRE tunnel was fine but the way the question was worded implied they wanted IPSec inside the GRE tunnel in transport ode when in fact it was for the more common GRE inside IPSec/transport, once I worked that out it went fine.

    I'm about to start 7-B, an unrelated DMVPN setup with 3 routers over frame-relay.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    7-B was a mess, very badly written in what looked more like placeholders the author intended to elaborate on later. Also there were 2 main tasks, DMVPN and setting up EZVPN Server but the directives for each task were sequenced randomly throughout the 12 steps. Seeing as it was thrown on as a 'B' component to a lab it shared no topology with I really thing it was stuck in there at the last minute. Anyway, I was happy with the DMVPN results as I only made one mistake in swapping the Public and Tunnel IPs for the map multicast command, which I caught and corrected quickly by checking the online Docs (btw when I say I checked the docs I am referring to the same Cisco online documentation you have access to in the lab, while the aim is to minimize the amount of times I do have to reference them I don't consider a task failed for using them since I can do the exact same thing in the actual lab. If I do have to use another source like a different book, google or the workbook solutions then I do consider it a fail). EZVPN server I did purely from the docs, I'm fine with it on the VPN3K and PIX/ASA but the IOS syntax is a lot more convoluted imho, so I think it's one I am happy to leave to the docs for the actual lab.
    Lastly I played around with using VPCS with GNS3 to provide simple testing 'pcs' within each lab. So far I'd just used dummy routers for ping/traceroutes etc. but this should help save some host PC resources.

    Up until now I have been using a a small spreadsheet to keep track of technology areas as I cover them but last night figured it was better to use the actual Blueprint (duh) and copied/pasted it into my notes. So now every time I cover a lab section or study a topic on the blueprint I mark in the date it was done and my competency from 1-5 :
    1=Had no idea how to do it, and still don't after using the proctor guide to complete it.
    2=Had no idea how do do it, but have a bit better understanding after using the proctor guide.
    3=Had a rough idea how to do it but had to use the online docs. extensively.
    4=Had a good idea how to do it and used the doc.s rarely
    5=Had no problems doing it from memory.

    It should help me chart my progress and also spot some areas that my current labs just don't help me understand (e.g. if I redo a lab later and my score does not change then I need to study/practice it a different way). There are some areas, like EZVPN on IOS mentioned above, that realistically I don't mind leaving on 3 but they should be rare by the lab date, obviously I can't afford to leave anything below that.

    Right now I'm using Putty as my terminal emulator and Wintabber to keep them all organized but I won't have that luxury in the lab. I don't have an access server but when I use online racks (which I expect to start using extensively in a few weeks, thank you bootcamp-deal for those 200 free tokens :) ) I'm going to use SecureCRT (untabbed since apparently the one in the lab is fairly old) as on instance and switch from device to device within it. I know to most of you this is normal but I have always used multiple windows instead, it takes a bit longer to setup initially but makes workflow and comparison easier later in the labs imho.

    Anyway tonight is CBTNuggets SNRS-CBAC and IOS Firewall and then lab 8, the VPN Concentrator. I haven't tried breaking out of GNS3 to a physical device yet (the most I've done so far is to use a Cloud to a loopback on my host PC to route through to my ACS/Certificate server VM on the same machine). It looks straightforward enough though so hopefully that part will be quick to setup and I can get into the lab itself quickly. The VPN3K is one of my better areas so I don't think it'll be too hard....famous last words ;)
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I didn't get my study done. Bold. I started to load it up and then began wondering whether to try making up a VMWare based IDS and launched into a webhunt through 7200.Haki.at that led on further to a video tutorial site that also had vids for emulating the NAC Appliance and a few other goodies. But after spending some time going through them and getting excited about setting them up I thought about the amount of time it would take to set it up vs. the impact it would have on my knowledge (which on IDS I'd already rate a 4 or so) and the fact I can use rack time on the real thing and figured it wasn't worth it....though typing this out now is getting me interested in doing it for the hell of it, well we wouldn't be here if we didn't have an obsessions with technology icon_twisted.gif To paraphrase the difference in IT between multitasking and ADD is success and right now on this now on this one I'm toeing the line.


    Labwise I got about halfway through the VPN section last night. The lab itself was not hard (though I still have to get to the IOS WebVPN section...) but I had issues with my second PC running the other half of the lab (with my real VPN3K between it and the primary PC/GNS3 instance). I got them all talking easily enough by cloud'ing out to my 2nd NIC on the primary PC, sending that to the VPN3K private interface, then doing the same for the single NIC on the other PC to the public interface. I used the same subnets on the GNS3 edge router interfaces and the linked NICs and it seemed to work fine but I'm still not sure if it works as a bridging or routing function, guess I need to start checking their forums as the GNS3 docs don't cover this, more Dynamips/Dynagen level I guess. The first oddity I noticed was that the VPN3K was not learning RIP V2 routes on the private side. whereas the only other router on that segment was learning them from the VPN3K - I checked that the private interface was set to send and receieve V2, no passive stuff getting in the way and that was all fine. Debugs on the router showed it was multicasting updates correctly, I thought it might be something to do with how the Cloud/Bridge to GNS3 was limiting multicast so I specified the VPN3K as a neighbor on the router and voila up she came. Very odd, esp considering that OSPF on the other side worked fine. I might look into it some more but really routing is just a test step and a minor enabler for the rest of the lab so once it's working I'm not that worried, I don't think Cisco need to make up hybrid labs like I do and I need to just work around anomalies I know are caused by this rather than waste valuable time on them....even though it goes against my nature ;)
    The biggest problem was my 2nd PC that I really need to reinstall from scratch. I had to remove Kaspersky a while back (again not that application's fault just a messed up OS) and since then the Network has been flakey, even with no firewall installed (and windows' one disabled, my network is hardware firewalled so soft firewalls are for application access monitoring) it is blocking some app.s from accessing other networks so I couldn't get the VPN client working from it. After trying to troubleshoot that one I gave up for the night and will use my laptop instead this evening.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Weeellll things did not go quite to plan. I started studying Richard Deal's Complete VPN Configuration Guide (great book btw) to get ready for the IOS EZVPN setup and then wandered onto SSL VPNs, which are on the blueprint just not that night's lab and I'd never touched them before....which reminded me that we had 2 SSL slots on our ASA license that I'd been planning to get going....which led to reading Cisco Press "SSL Remote Access VPNs", which I'm now about halfway through - gotta love Safari bookshelf, you want it you can read it. So no strict labwork but some very good hands on for the last 2 days playing with Clientless (crappy), SVC (better) and finally the Anyconnect (yey) client through a CSD session and setting up a handy backup for using remote access to troubleshoot out of office clients who's unity client has failed. Oh and I normally work/study at night since my hours are flexible and my wife works nights but this week the other Network admin. is on holiday so I said I'd cover normal business hours, cue big sleep crash this morning when I got to bed at 6am (had to virtualize some servers after hours) and up again at 8.
    So no major Diary entries for better or worse. I think tomorrow I'll focus on finishing the SSL book (so far it's been decent but not great, I find it very repetitive but there is good info. included....just over and over and over again ;) ) and finalize the SSL config on our ASAs.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • APAAPA Member Posts: 959
    thanks for taking the time to post your thoughts and experiences!!! :)

    Will come in handy when the rest of us decide which CCIE track to take!

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    No problem, personally I think it'll bore you to death but we'll see :)

    I am now officially in love with Dynamic Access Policies. Probably old hat to most of you who've worked with NAC but I could never get it approved in the budget so being able to apply ACLs to VPN sessions based on a quick client scan is fantastic - PEON with Av running you can do this...PEON with no AV you can do the bare minimum we need to fix you....ah sweetness.
    The amount you can do within the CSD/SSL setup just from the ASA itself is amazing, now if only they hadn't cut the SSL client count on the basic license after 7.2 . Anyway I pretty much finished up the SSL book and implementing it at work this evening so back to normal labs tomorrow.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Mainly normal work so far today but I started back into The Complete VPN Confguration Guide again. I also decided to have a go at upgrading my PIX 515 from 6.3(5) to 7.2(2.10) again. I bought a ram upgrade for it a few months back but of course it wouldn't take because by default it won't recognize the extra 32MB. I followed the instructions to upgrade by Monitor mode a few times then and tonight and still nothing. I thought maybe I had a dummy ram module but both worked when placed in there on their own. Soooo I tried 7.04 instead and up she came :), when that was finished I TFTP'd 7.22-10 in normal mode and that went fine too. It seems whatever fix they placed into the early versions of 7.x to allow upgrading a 515 is not present in at least some of the later versions. So I'm happy...yes easily amused....

    I have 2x6 hour lab sessions booked for this Saturday and Sunday to attempt one of IWEB's full labs so I think for the rest of this week I'll mainly just be hitting the books. Finish off the VPN guide and then I think re-read the SNRS and IPS CCSP guides and Cisco PIX/ASA Handbook if I get time.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Super exciting news...well no...not really. Just checking in :). I finished up the Complete VPN Configuration Guide again yesterday and I still think it is the single best book Cisco have ever produced. The quality of writing, the easy flow and the levels of detail Richard eventually goes into are imho perfect. Some texts have a lot of info but are too dry, some the reverse, this one is just right. You would have to try not to understand VPNs when done. I did some basic 'lab'ing I guess while reading it in that I ran GNS3 and did some IOS EZPN work (Router security is still one of my weaker points but it's getting a lot better now).
    Last up was a skim through the SNRS guide. I know it's all relative but I remember reading through that book for the first time 2 years back and thinking it was very detailed and tough, and last night I kept thinking there'd be more detail near the end...but nope. It was worth it for a quick refresher but I don't think I'll be reading that one again before the Lab.

    Tonight is the IPS Cert Guide and hopefully also a start on the ASA/PIX handbook.

    I'm going to do the easiest lab in the IWEB workbook for tomorrow and Sunday's sessions (they rate them on 1-10 and this is a 5) No I'm not just wussing out but this is my first try at a full lab and since I'm on a rental I need to get accustomed to proper time management etc. aswell as the lab itself so I think it's best to start easy on the technical side. My aim will be to do at the very least one full lab a week, hopefully 2. While also studying and doing mini-configuration labs as I go.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • apd123apd123 Member Posts: 171
    Definitely don't be ashamed of doing a level 5 I remember my first IWEB lab took me all day. I just looked at it and was so puzzled as to how it could have taken me more than 5 hours too complete it, but trust me first time through it took twice that. Its weird how when you look back at something like this.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Thanks, made me feel a wee bit better about it. Anyway I cut out 45 minutes early having done 3 out of 7 of the sections, the next section was certificate based IPsec and since tomorrows session is on a different rack (won't make that mistake again) it would have been a waste of time to start it. So I copied the configs out to notepad and will modify them to reflect the new rack number before tomorrow's session....well at this time of the morning and with it really only 13 hours away I guess I shouldn't be calling it "tomorrow's".
    The lab itself was pretty straightforward. I did better on previous trouble areas like Routing protocol authentication and reflexive ACLs etc. aswell as keeping track of the existing traffic flow I might break by performing a later task but still I took too long and ended up losing whole sections due to one or 2 stupid mistakes. Also there were a few errata in the solutions and one or 2 small mistakes in the lab workbook (like a VLAN number type that had me confused for a minute). Overall though I was happy with it, yup I would have failed if it was real but I can see improvements in my approach and in some of my previously weaker technology areas so headway is being made....I just wonder if it's fast enough icon_confused.gif

    As I said I have another session in 13 hours and I hope to get most of the rest of this lab done tomorrow. If not I'll just start another on the net round, I won't dwell on it. Next Lab after that is 2 sessions on Wed. back to back. Should be fun...... I reckon I'll dial this one all the way up to a 6 Difficulty :).

    I presume the 30 mins between sessions is for the Lab techs to reload the systems (or the automated system). But does anyone know offhand if it will do so when you have 2 sessions booked with IWEBs "Graded Labs"? I'll have a check on their forums later but wanted to see if anyone knew it quickly.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    So, I loaded up my text-configs from last night and started very carefully using the Replace function to rewrite the subnets to match the new rack number. Loaded up the terminal sessions and began pasting...and ran right into something I should have considered but obviously didn't....some of the routers are using different hardware and software versions from the other rack, so eth0/0 on one is fa0/0 on the other etc. Rather than go back and try to rebuild the configs again I just put it down to experience and redid my work from last night on the new rack. It was good revision anyway. The extras today were all about VPNs, Lan-Lan / Remote Access / GRE . I hit a stumbling block on the L2L using Certs when first up my router would not enroll (it did authenticate and the CA had a valid certificate for it but nada), I removed the Trustpoint and zeroized/regenerated the RSA keys at 1024 (had been 512) and re-enrolled and that was fine. Then it wouldn't talk to the ASA, claimed it's certificate was invalid and right in the middle of the debugs was a 'Sanity Check error' which I remembered from bootcamp, it's the damn CRL options. You HAVE to set it to something, even if just 'Optional' or you get this. So fixed that up and they were good to go...Well kinda. The question stated that the VPN had to be from one Vlan to Vlan3 but terminate on the ASA, with the layout that was ridiculous as it had to pass through the Router that also linked to Vlan3 to get to the ASA in the first place and then they wanted it to go halfway back up? I figured it was a typo as Vlan8 was behind the ASA (3 - 8...oh c'mon it's not that much of a stretch !) and configured it that way. But checking their solution they did indeed want it to go to the ASA and back up again. Another lesson learned, you may know that the CCIE lab does not represent best practice but now the bar needs to be lowered even more :). Still my way worked, just have to stop making assumptions about what would make sense vs. the stated objectives.
    The RA section was straightforward but the GRE was cumbersome, a manually configured full mesh with ipsec protection between 3 new loopbacks, not too hard but just ate up a lot of time.

    With 5 hours I didn't get it finished (even though I flew through the first 3 sections again, obviously a weeee bit easier since I did them last night, they still took time to input). But I only had to use the online Docs once to verify where to place the Reverse route statement in the RA setup and hit maybe 2 mistakes that I missed then saw from the solutions. I have to get faster at analyzing the objectives and inputting mundane tasks like crypto policies (I think I'll start using Notepad and paste them in future).

    So that's it. I have some actual work-work to do now and then soak my brain in ice water. Next lab session is a 12 hour on Wed.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • GT-RobGT-Rob Member Posts: 1,090
    Ya it takes about 2 or 3 full labs to really get into the swing of things. Also, if you can, I always suggest trying to do 2 session back to back (11.5hrs total). Even if you take a break in the middle or go out for a bit, I find it to be much more effective than trying to stop at 5.5hrs, and start again at another time.


    Keep up the good work! You've got about 5 weeks left to go ;)
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Yup that's the plan from now on, next up is 2 sessions on wed. I just went ahead and booked another 4 doubles for this month as they were getting scarce.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Wow. You guys are hardcore. There is no way I could focus my attention on something for so long. I might have to just go with buying my own equipment if I ever reach this level.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    With the changes likely coming it's going to get a lot more expensive to do that though (MARS, NAC Appliance (though you can run this in VMWare)). I have enough equipment to do my own technology labs (and GNS3 is of course a major lifesaver) and will be doing those as I study but if you want to do a vendors full labs it really is faster/less hassle to just rent rack time from them. No worrying about cabling, or software/hardware mismatches etc you just log in and get to work. Besides I got 200 free tokens with the Bootcamp so all of the ones I've booked to now and those until the end of the month are freebies :). The lab itself is 8 hours so while it sounds like (will be) a slog doing those back to back sessions it's part of the training too.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Got held up a lot with work the last few days trying to get my hours up enough so that I could do today and tomorrow's double sessions without interruption. I did mainly study for the last 2 days, IPS (the CCSP guide, which sorry to say didn't magically transform into less of a slog since the last time I read it (lots of info, just the driest guide on the planet) and the signature creation modules from CBTNuggets). I'm pretty okay on the IPS, setup and configuration are a breeze once you've worked with it for a while (compared to say the ASAs where I discover new little things every week) the only tough part is signature creation imho. Knowing which engine to use isn't always obvious.

    So today was the big double session and it got off to a trumphant...er...slow start. I started printing the lab out just before 5pm and my printer decided to go on the blitz so I had to fix that first - the price of cheap Ink cartridges icon_redface.gif . Right after I go that going my old Boss called about some work stuff (if you're reading this J it's not a criticism :), just marking it here for posterity) so I didn't really get started until about 6:30 or so. I took my time. There were a few areas that I would have skipped and moved on if it was the real thing but since this is a learning experience I stuck it out. The worst was a routing issue I couldn't resolve on a key router. It would not update it's OSPF tables from the Frame relay interface (on this router it was a multipoint from one interface to 2 different spokes, neighbor relationships formed perfectly and debugs showed it claimed to have exchanged databases with it's peers but nothing - I reloaded the original vendor supplied configs when I thought it was just my knowledge failing but still nada. It had a backup serial interface to one of the routers so I used that for OSPF between them instead, then threw up a RIP V2 session between it and the other key router and did redistribution to and from OSPF on either end. Hell of a patch but it let me proceed with the rest of the Lab. The rest of the lab was reasonaly tough, not impossible but a few nasty gotchas in seemingly simple configs (like doing a straight lan-lan tunnel from one router to a pair of ASA.s the catch being there was a PIX and VPN3K between them - it was easy enough to configure ACLs and Filters on both boxes to allow the IPSec traffic but it takes valuable extra time). The only real wall I hit was another Lan-Lan between 2 routers between 2 identical subnets, I knew I had to use NAT but got the access-list addresses mixed up badly on both ends. That one I had to look at the solutions for as I knew I had gone too far down the wrong way of thinking to back my mind out of it....if that's not clear I mean there are times when I know I have messed something up and in real-life would take a break, let my head clear and come back to it, no such luxury on rented rack time so the solutions it was.
    On the plus side I now find failover, EZVPN, PKI and any manner of IPSec L2Ls a breeze. I'm getting a bit faster on command entry and debugging and much better at keeping a mental image of the various filters for when tasks involve passing through them - they're popping up as nice little mental alarms now.

    After all that though I didn't finish it, got to section 5 (out of 7). So I think I'll use tomorrow's sessions to do this one from scratch again and complete it.

    For now it's this weeks episode of Chuck and whatever comfort food I can find (the price of being married to a Nurse, she hides the good stuff :) )
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • wampampirowampampiro Member Posts: 1 ■□□□□□□□□□
    Hi all,

    I was just wondering if anybody knows or have an idea about how much having a CCSP will help to get the CCIE Security. This assuming of course that you really know all the stuff included in the CCSP track and have some hands on experience.

    Would you say having CCSP equals being 50%, 70%, 25% (or whatever%) ready for the CCIE SEC?

    Thanks
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    It's hard to quantify, I couldn't imagine trying it without the CCSP but there's a lot more you need to learn. I'd Put it at the 50% mark at most.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    And here ends the 2nd Back-Back session/full lab attempt and surprise surprise I actually finished it this time. I reckon taking off breaks it took about 9 hours, so I still need to work on that speed issue. But getting a bit faster each time. The only major problem I had was with Remotely Triggered Black Hole Routing. It relies completely on BGP and Route-map configs which are definitely my weakest areas, and as far as I can see it's not in the lab-accessible docs. I downloaded the Cisco whitepaper and will be going over it tomorrow most likely, and hitting the CBTNuggets BGP modules hard. The problem I had last night with one router not sending/receiving OSPF routing updates (When it was forming neighbor relationships with it's peers) didn't happen tonight, different rack completely but I checked the configs against last night's and the routing was identical. Made me feel a wee bit better that it was the backbone and not my own stupidity.
    I got a bit more used to using Vlan assignments to hop the Test PC around too. Silly I know but I've been walking on glass around the switch configs up until now, no real reason just the hind-brain cross-wiring and associating it with a dark cave :).
    I made a few mistakes I caught after checking the solutions, and a few alternate ways of doing the tasks that still worked. I had to use the docs for dot1x, ASA failover, auth-proxy (I HATE auth-proxy, the IOS setup is a mess, on the PIX/ASA it's easy) and IOS EZVPN but all of those I am happy to leave as docs-when-needed - I know when to use them I have a good idea of the setup off the top of my head but the commands are convoluted enough to leave to the documentation.
    The only filtering issue I had was with the VPN3K. Passing a Lan-Lan through it from a Router to the ASA. The VPN3K default Public filter includes IKE/ESP passthrough in both directions so I checked it was applied and then configured the other devices (incl. a PIX also in the middle of the traffic flow). ISAKMP was fine but no ESP back from the ASA. Of course I checked the PIX ACLs, the proxy ACLs on both sides etc. Finally I went back to the VPN3K, not only was the "IPSEC-ESP Out" rule removed from the Public filter it had been deleted completely from the Box icon_evil.gif . Some plonker had previously used it and wiped it out, if you aren't familiar with this the VPN3k approximates ACLs with Filters, there are a number of preconfigured rules that you can assign into a filter, then you assign the filter to your interface. So there is no reason to ever delete a rule, if you don't want it you just un-assign it from your filter, done...easy...doesn't mess up the guy behind you. Anyway it was easy enough to make a new rule to allow the same traffic and apply it to the Public filter, it was just annoying that someone left it that way. Must remember in future to wipe the configs completely at the start instead of presuming the boxes were reloaded.

    Anyway that's it. After 2 of these in a row I am completely exhausted.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    No labs the last few days, just some work and Study. I went over RTBH and then did the CBTNuggets BGP/Route-Map and QOS modules (about 1/3 the BSCI and 1/2 the ONT courses). It clarified a few things for me but I'm going to read over the Doyle TCP IP Routing books aswell as the Troubleshooting TCP/IP Routing Protocols in the next few weeks. I guess when the Security lab is finally done I may aswell do the CCNP since I've prep'd a fair bit for it already ;). I've got a minimum of 2 back to back sessions per week now until the exam and the next round starts on thursday.
    Today will be more work on RTBH to keep it fresh in my mind and maybe the PIX/ASA Handbooks.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    The last few days were spent skimming over "CCIE Professional Development Routing TCP/IP, Volume I, Second Edition" . A very good book and one I guess pretty much everyone heading down any CCIE road has read, the only qualm I have is with the choice of Router names. 'When ChilliQueen is sending packets to PurplePlanetMongo via HyperDeathCheese.....'....well not quite but believe me the names are as odd, if not as fantastical. To me it's like word-noise just contributing to any mental static that is already getting in the way of absorbing the actual principals. Maybe it's just me, but it bugged the hell out of me after a while icon_confused.gif . It really helped my understanding of Route-maps and BGP (though the latter still needs work) both of which, as I guess I've made clear by now, are the biggest components that are central to the CCIE Sec that are not covered at all in the CCNA/CCSP. So if you take the same route as me be prepared for it to be quite a 'fun' hurdle.

    Today was a double / 11.5 hour sessions doing IWEB Lab 2 (Difficulty rating 6/10). It was a pretty good lab actually, a nice spread of technologies (Transparent firewall, Multiple contexts, VPNS between every class of device and plenty of AAA). I started an hour late as I didn't get setup until 6pm or so, night shifts are messing up my bodyclock too much.
    I ran into 2 major problems. The first was a management VPN from one router to the transparent ASA, the issue was that router already had a crypto map sourced from one of it's Ethernet interfaces from a previous step, what got me was the Peer IPs, I didn't use the sourced interface but the perimeter interface (facing the ASA). It wasn't hard to work out, the debugs on the ASA trew it up straight away but it annoys me I didn't work it out initially. The second I spent a lot of time on simply because it was so frustrating, another case of if it was the real thing I would have moved on after 10 mins but hammered at it probably for about 40 mins or so. It was a relatively simple Lan-Lan between 2 routers (with a PIX between them). Usually easy enough, I set the ESP/Iskamp ACEs on the outside-in ACL, then wrote the major part of the Isakmp/IPSec configs in notepad and pasted to both routers (so I know absolutely the policies/transforms etc. matched) but it would never complete phase1. I rewrote the policies, changed them to completely different but matching values, allowed all on the PIX, rebooted the routers. Nope. Debugs showed the ISAKMP policy was accepted and then nothing, no more debug output on the initiating router, and nothing useful on the 2nd (though it was showing the negotiations). I checked the solutions when I'd had enough and my config was perfect. It's still bothering me though if it was something I missed. I might try this one again next week if I have time.
    I made it through section 7 (out of 8 ), time spent (excluding breaks and the late start) was about 9.5 hours. the last 'level 6' I did took 9 hours to complete on the 2nd try, with only reaching section 4 on the first night so I'm getting faster....still not fast enough though.

    4 weeks to go.....I'm getting nervous enough it's already messing with my sleep icon_sad.gif . Normally exam jitters don't bother me, maybe a bit on the car trip to the testing center but nothing like this. We've sunk a most of our savings into this, with books/labs/equipment/bootcamp/exam+travel etc., that it's making me feel a bit guilty, what else could we have done with the money, hell in this economy it'd just be nice to have it in the bank...mebbe 'bank' is a bad idea ;). The wife is very supportive, there's no way I'd be at this stage without her, my first CCIE-earned paycheck goes on whatever she wants (okay being married, and honest, 'first' won't be the last ;) ).
    Anyway enough babble . I'm off to play a but of Far Cry 2 and let the steam out of my wee noggin.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Okay, IWEB Lab 4 (Difficulty 7/10) down...well mostly. The ACS (AAA) server was fubar, wouldn't respond to requests from anything on any protocol. But the CA and GUIs for the VPN3K and IPS were fine. I did what I could substituting local AAA instead but it was a pain in the ass so I skipped most of the dedicated Identity management section. With that out of the way the rest of this lab was pretty tough. A lot of NAT early on to get around problem areas, like moving a server from one subnet to another and not changing it's IP, then getting the nearby PIX to proxy-arp for it and it's still programmed default-gateway (which was now on the otherside of the PIX), or using it to 'move' one router close enough to the one it is supposed to peer with but has no direct route to etc. I thought I knew NAT really well, and for the main concepts I do, but this sort of 'trickery' killed me. Needs a lot of work. If I'd hit this one for real I'd have failed badly, probably in the 60's. The one good thing is I'm still getting faster at the core tasks. But I'll walk away from this one with my ego bruised and a long list of things i need to get a lot more detail on.

    Anyway, another 2 day back-back done and my brain is once more fried. Off to blow off some steam and then hit the books again tomorrow.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.