INE Lab 8 today!
Posted by TacAck in CCIE-Security on August 3rd, 2010
Hello Hello!
I’ve been busy for the last couple of days doing some ccie-sec stuff and also getting some work done. I did INE lab 5 first and i found it REALLY REALLY hard! I don’t think there’s anyway the real exam is going be this hard.
After that, i did INE Lab 7 and i found it pretty fair. Some sections were tough, but most sections were doable. I found some confidence after doing them and i think i need to work a little bit more on my speed.
Later tonight, i’ll be posting a video about how i actually start the lab. This will include how i draw the diagram, how i take down notes ,etc. If you feel i should do anything differently, please feel free to let me know!
Yesterday, i did a lot of Doc-CD study. I studied/did-some labs on IOS NAT, went through the great free whitepapers available on the INE website! I also did some VPN configurations but i just couldn’t get EZVPN to work. :/ I wanted to debug this but couldn’t find the time yesterday.
In about 30 mins time, my rack-rental session starts and i intend to do INE Lab 8 today. Hopefully, it’ll be fun!
P.S : I’m sorry if my blogs don’t have much techy stuff these days, it’s just because there’s so much going on and i’m finding it a little hard to collect it all and blog it. But i promise, after my 1st attempt, i will start blogging in depth about the technologies ( and a little less about my feelings
)
Cheers and have fun!
TacACK
INE – 2 , TacACK – 1
Posted by TacAck in CCIE-Security on July 29th, 2010
Hell All,
To sum it up in one sentence, INE vol 2 Lab 4 was HELL( http://en.wikipedia.org/wiki/Hell ) ! The configuration sections were just too long and very very tough. I had a 5.5 hour time period in which i had to finish the lab, but i only managed to finish 4 sections , and half of one other section.
The sections i finished were :
- ASA
- Very long
- I wouldn’t call this tough , but it wasn’t easy either. Required a lot of thinking
- IOS F/w
- This section was relatively easy, but it took a long time ( considering that there were only 2 tasks ).
- The ZBPF section was a little tricky, because i had to keep revisiting this, because a lot of the later configs had to be accounted for when doing the configuration.
- VPN
- There was an IPSec HA section. To be honest, i’d like to think i’m good with IPSec HA ( because i’ve practiced it many times ) , but i just didn’t understand the question.
- I don’t know if my understanding was flawed or if the question was worded badly. Either way, i couldn’t configure it.
- There was a troubleshooting question here , which was pretty simple. Again, this got a little more complicated because, the router which had the issue was also running ZBPF. So , had to account for that. ( More time spent )
- ID MGMT
- They had 2 , i repeat 2 NAC sections. Since i didn’t know NAC , i just skipped these and moved on
- Even the command authorization section was tough.
- CONTROL PLANE SECURITY
- 2/3 tasks were easy.
- One task was tough. ( required a lot of thinking , digging up the doc-cd ). However i’m still not convinced about the answer. I must ask some folks on OSL.
- IPS
- The only section which was simple.
- The penultimate task threw me off slightly, but i somehow figured out what to do. (Took some time)
- ADVANCED SECURITY
- Again, not very difficult configurations, but they were very detailed and i took a lot of time configuring and testing them. I’d like to think they’re correct, but i’ll only know once i tally them with the answers.
- I skipped the last task because i felt i was running out of time.
- NETWORK ATTACKS
- Didn’t have time to do this.
As you can see, i couldn’t finish the lab in the 5.5 hours. So i managed to save the configs and i’m going to try it again sometime soon ( maybe tomorrow ).
I’d love to hear from you about how your studies are going!
Please feel free to buzz me on twitter ( @tacack ) , or by e-mail ( tacack at tacack dot com ) , or by just commenting to this post.
Cheers and Happy studying!
TacACK
INE vol 2 – Lab 4 revision today
Posted by TacAck in CCIE-Security on July 28th, 2010
Hello All!
I had an interesting day yesterday! I didn’t have any rack-rentals scheduled as i was scheduled to be spending most of my day doing some work-related stuff. I did that till about 3 PM and then i fired up good ‘ol GNS3 and started doing some small labs. I had forgotten how much FUN this was!
Here are a couple of things that i labbed yesterday :
- DNS rewrite on the ASAs
- This was a simple topic but i have issues getting this to work 100% of the time, so i decided to spend some time labbing this. Only then did i figure out how complex this actually is. I was referring to the Doc-cd page for “Application inspection” on the ASA and i found some very interesting scenarios(one in particular) which i wanted to share with you.
- It’s called DNS rewrite with 3 NAT zones
- We all know how DNS rewrite works. Most of the times, out of habit, we generally configure only 2 NAT zones when we have to test this (ex : inside,outside) . So what happens is , the “A-record” in the DNS response gets translated according to the static nat entry.
- Now, add another zone. It gets interesting now. What happens if, the user is on the inside, the web-server is on the dmz and the DNS server is on the outside. How does rewrite actually work. For this i found an awesome section -> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1336066 , which gives us a clear picture on how this happens. I also labbed this up and i was happy to see it working as expected.
- I also tried the “alias” command and that worked too.
- Local IOS command authorization
- I was revising IPX Vol 2 – Lab 11 , and i found that i was n0t too confident about the local command authorization section. So , i fired up a small lab and proceeded to do it. I’m now confident about how this works and i’m sure i could work my way through this task , if i face it again.
- AAA Cut-through-proxy on the ASA
- I had configured regular CTP on the ASA before ( aaa authentication match <ACL> inside <method>) . But i was wondering what the “aaa authentication listener” command did. So i read up on some documentation ( which , i must say , i’m not very impressed with ) and i started configuring this.
- I learnt that, by entering the “aaa authentication listener” command with the “redirect” , we are redirected to a fancy new page where we have to enter our credentials , instead of the usual pop-up box that we usually get.
- But, without the redirect keyword, it performs CTP just the usual way . I don’t see any difference in adding the aaa authentication listener command. If someone knows the difference, i’d love to know what it is?!
One thing which i do regularly is to revisit the doc-cd to read about the order of processing of the classes/actions in policy-maps on the ASAs. I find this VERY helpful http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html#wp1083060 as i go about labbing. This can definitely make/break a configuration and i would suggest you are well versed with it.
Today, i have a rack-rental scheduled where i’m going to revisit INE vol2 – lab 4 . I’ll be keeping notes on how it went and i’ll definitely share it with you tomorrow.
Have a great day!
Cheers,
TacACK
After a long time!
Posted by TacAck in CCIE-Security on July 27th, 2010
Hello All,
It’s been a while since i posted about my study , partly because i’ve been held up doing a lot of miscellaneous jobs. Work ( Coding in ADA ) is really hectic these days and i’m unable to allocate the amount of the time that i would like to allocate to studies and labbing. However i have been studying and labbing whenever i can and here’s a list of things that i’ve done / things i need to do.
DONE
- INE Vol 2 – Lab 1
- INE Vol 2 – Lab 2
- INE Vol 2 – Lab 3
- INE Vol 2 – Lab 10
- IPX Vol 2 – Lab 11
- IPX Vol 2 – Lab 12 ( In progress )
Although, i have done all of these labs, i’m not sure i’ll be able to nail them again because i havent revised the topics that i had difficulties configuring. I must do that sometime this week and ensure that i know the contents of these labs inside out.
Today, i was doing IPX Vol 2 – Lab 12. I always have difficulties with IPX (and some INE) labs. That’s because they’re really hard, elaborate and take a whole lotta time . For me, it’s nearly impossible finishing it in the 8 hour period. I had about 7 hours of quality lab time today, out of which , i spent an hour re-drawing the diagram and going through the configuration items at the beginning. In the remaining time i could configure 5/8 sections. I have saved the configs and will continue the next time i have a rack-rental. I was a little worried this morning regarding my speed. I thought i was the only one with the slow speed and i was trying to analyze if there was something i was doing/missing, which was causing the slow speed.
But then, later today , i had the good fortune to talk to Kingsley and Toyos about the IPX labs and i found out that both of them were taking a little more time than the allotted 8 hours to finish the lab. This put my mind to ease, because i knew everyone was finding these labs hard and it was not only me.
I hope to get some office work done tomorrow and also study some stuff about NAC , practice some ACS configurations. I also hope to do the first lab in “Yusuf’s workbook” the day-after-tomorrow. Let’s see how that goes. Very excited!
See you tomorrow!
Cheers and Good night!
TacACK
This just in : Toyos Yooyen is a Double CCIE!
Posted by TacAck in CCIE-Security on July 24th, 2010
Hello All,
I received some GREAT news yesterday night on twitter. Toyos Yooyen (@tawtoyos , @tyooyen) had just cleared his CCIE-security lab in Tokyo. Congratulations Toyos!
He’s a double CCIE at the age of 24. What a phenomenal acheivement! He’s been working very hard, knocking out practice lab after practice lab and it’s absolutely inspiring to see such dedication from an individual.Well done Toyos!
I know he’ll do very well in his career , so here’s wishing Toyos the best for his next CCIE!
Cheers,
TacACK

