I always, always LOVE thursdays. They’re usually break days! I thought i’d do some labs today, but i’m just not in the mood. I believe one must enjoy his/her studies and if i’m not in the mood, i don’t want to push myself. So it’s break time!

So, here’s my plan for today. I’m going to head home soon and have a nap. ( I’ve been missing some sleep for a couple of days ). Then i’m heading to a movie with my first love , and then chilling out with a drink in hand and the doc-cd tonight

I’m taking tomorrow off, so hopefully, it’s going to be a long and productive weekend!

Cheers and have fun,

TacACK

Hello All,

Yesterday , i did the control-plane security INE Vol 1 lab. It’s funny (and awesome at the same time) , that i’m learning something new everytime i do these vol 1 labs . Again, yesterday was a great learning expericence and i want to share some of the stuff that i learn, with you

• There was a task which required me to configure a “port-filter” class-map , in order to block traffic going to closed-ports and also to ignore a couple of ports from this check.
  • Now, i configured the whole task correctly and i was expecting it to work, just fine.
  • But , i noticed that all the packets going to any port in the router were getting dropped. I could see telnet traffic and RIP updates being dropped. This started to bother me.
  • After some digging, i figured out the problem. It was in the class-maps
  • I had specified the matching criteria of the class-map as match-any. What this was doing is , that it was dropping the traffic that were even meant for legitimate ports as it was not checking all the lines of the port-filter class-map. To solve this issue, i just entered match-all instead of match-any and it started Working. This is a good thing to remember for the final lab.
  • On a side note, remember , in an earlier blogpost , i had commented about how ZBPF config was not working because i was using match-all instead of match-any there. Well, this is just the opposite. Just 2 things to keep in mind when stepping into the lab
• There was a task which required the router to monitor the TCP connections from its peers, and ensure that TCP connections are torn down once the reachability between the Router and its peers goes down. I didn’t know how to do this. Apparently we use service tcp-keepalive for this.
• Next , i had to battle the monster of SNMP! I had gone through the SNMP configuration guide a day back and it definitely helped . The only thing that i needed to study was RMON configuration.
• Selective Packet Discard -> This is an awesome concept. I was discussing this with Ryan a couple of days back and we studied this topic together ( which really helped! ) . We should do that more often. One pothole which i encountered in configuring this is that, these commands are NOT VISIBLE IN THE CONTEXT SENSITIVE HELP. So we must memorize these commands! I remember having similar experience with 802.1x
• Finally, i had some Role Based CLI Access configuration to complete. In one of the tasks, i had to create a view which allowed to user to access only “interface fa 0/0″ and use all the IP related commands.
  • This looked like a simple task, but it was’nt working. This was my configuration
    • #parser view TEST
      • #secret CISCO
      • #commands exec include configure terminal
      • #commands configure include interface fa 0/0
      • #commands interface include all ip
  • Now, after switching to that view, i could see that from the exec mode, i could go into the Global configuration mode. So far, so good! Now, here, i was supposed to see the interface command available. But i couldn’t see it. I had configured for the interface command to appear, but it just didn’t. I later checked in the Doc-CD to find out what i’d configured wrong, and it turns out, i had to add this line to the view configuration
    • #commands configure include interface
  • Only then , do the interface commands appear in the global configuration menu. I don’t know why we have to inlcude interface twice. I have to ask someone regarding this. If you know why, please feel free to let me know

Also, this morning i was configuring some GETVPN inside DMVPN (for practice) and i had a small discussion + lab with Ryan regarding this. Lotsa interesting things came out of this and i’m super excited to share them with you. That definitely deserves another blogpost. Watch out for that!

Cheers,

TacACK

Hello All!

I finished the IPX 3A Vol 1 lab today. It was a very good exercise and it was much more realistic than 2A ( which is very very hard ). I took about 6 hours to get it done.

Here are some of the interesting points that i learnt in today’s lab

• Yesterday i had some trouble configuring RSPAN on the INE rack rental. The INE rack rentals have 3550’s as the access switches and i couldn’t get RSPAN to work on them. But today it worked. I’m still trying to figure out why. However the only config that we need to remember  can be found here. -> http://is.gd/cUjbP
  • Also in SPAN/RSPAN configuration, pay keen attention to the keywords “ingress” , “untagged” if we have to permit return traffic in the SPAN/RSPANs destination interface. I’m a little confused about this so i’ve asked this question on OSL. Hopefully i’ll have an answer soon, and i’ll update this post.
• When doing IPX labs, there were many tasks which required dropping traffic if a special type of ping ( big size , bad source ,etc ) was detected. The IPX DSG showed that there are standard signatures to match these issues. But instead of sitting and searching for those, i configured my own signals. This just takes 2-3 mins and this way we atleast need not waste time searching for the signal. IMO, i don’t think it matters, because at the end of the day, the proctors are looking for the config to work.
• Also, a good tip which i want with you guys is REGEX matching. This is particularly useful in tasks where you have to drop packets with a certain payload ( maybe worm mitigation ,etc ). For this we will have to use/configure/create signatures belonging to “STRING” engine. Now here’s the tricky part. How do you verify if the regex that you have configured is correct or not. I use the ASA for this. The ASA has a neat command called #test regex <string to match> <REGEX> .  The really neat part is that, when i was going through the DSG  after the lab was over, tyson also uses the same technique to check if his regexes are ok, prior to implementing them on the IPS.
  • Ex : #test regex test [tT][eE][sS][tT]
• Ok here’s a little trick that i didn’t know , but i learned it from the labs. Suppose you have a task which says -> “Only B should telnet to A. If router C or D telnet to A, that traffic should be dropped by the IPS”. How do you go about configuring this? I kept on wondering about, how to permit the pings ONLY for A. Was there an IP address field in the signature configuration, where i could permit only router B to telnet to router A. Then i checked the DSG. The solution was awesome. Here are the steps :
  • First , in the signature that matches the telnet traffic going to Router A, configure it to drop ALL packets. Yes, you heard me right. Wait for the next step.
  • Now,  head over to Event Action Filters, enable them, and filter out the “drop packets” action for only traffic from Router B. So this way, we’ll be achieving what the task requires us to do. Isn’t this just cool!
• Here are 2 things i always try and keep in mind :
  • For BLOCKING , RATE-LIMITING -> The IPS uses it’s Management interface to send the block, rate-limit commands.
  • For TCP RESETS -> The IPS uses the promiscuous interface that it receives the traffic on. It sends back the tcp resets on that interface. Therefore, we must configure that span port to permit “ingress” traffic too, and place the tcp reset traffic in the same VLAN as the destination of the TCP resets.

Also, for the first time ever, i read through the whole 3A lab prior to configuring them. I know , instructors have been telling us to do this, but i was just too bored and i thought my way was correct. I used to just draw the diagram and start with TASK 1. I was SO wrong! I took the time to go through the whole lab, and make markings in my diagram about interesting stuff that i would encounter later in the lab. Ex : I know that i would have to configure blocking on say Router A and ASA1 etc. Also i know what all Virtual sensors operated and where they operated. This made my labbing much more efficient. I’ve been a totally dumbass for not using this technique in my earlier labs. I would highly highly recommend that you try it too.

Here’s what i do. I get a Blue/black pen , a Red pen and a pencil. I use the BLUE/BLACK pen to draw the network diagram. I then used the pencils to mark the IP addressing . Then i used the red-pen to indicate what all i’d have to configure on the diagram. This works for me. Do give it a try sometime.

Here’s what my diagram looked like, even before i started task1. I took 30 mins right at the beginning of the lab, but it was well worth it.

I’d love to hear from you, about the techniques that you guys use to lab more efficiently. Also, if you have any notes that you’ve taken during your labbing sessions, please pass them on so that all of us can be benefited from them.

Cheers and have a GREAT weekend!

TacACK

Hey all!

Just got news from the man himself that he just got his results and he’s a CCIE-sec! Congrats bro! Your hard work has definitely paid off.

Hopefully we can get him on here to share his experience with us . You can congratulate him at his blogsite www.amplebrain.blogspot.com

It’s now time for that road-trip

Cheers,

TacACK

P.S : We had a little chat with him a week or so back. You can find that here -> http://tacack.com/2010/06/06/ccie-sec-candidate-interviews-tolulope-ogunsina/

Hello all!

I have good and some not so good config days, but yesterday was definitely a GREAT day! After my bad experience with IPX Vol 1 Lab 2A, i decided to go back to INE vol 1 IOS F/w and revise that.

I started my rack session at 17:30 IST and i could get this done by around 20:00 IST. For me, that’re pretty good speed. More importantly i learned some more new stuff which i want to share here

• When configuring CBAC or reflexive ACLs, we all know that the only traffic which is permitted back is the traffic which matches a session created for an outbound session. Now, how does that affect routing traffic? Will routing advertisements be allowed from the outside? For that we use a workaround. Our goal is to permit the traffic from the outside. The only way that’s possible is to somehow create a session in the router so that the return traffic ( the routing advertisements ) can be permitted. For this we take all the routing traffic that’s being originated by the router , and set the output interface for them to a Loopback interface. This way , the routing traffic heading out will be treated as coming from the inside( or loopback , here ) and an inspect session is opened. This automatically permits the traffic back. The way you do this is this :
  • #ip access-list extended RIP_TRAFFIC
    • #permit udp any any eq rip
  • #route-map RIP_TRICK permit 10
    • #match ip add RIP_TRAFFIC
    • #set interface loopback 0

Generally , the question will be worded as follows “Ensure that routing updates are not disrupted by all this config” (or) “Ensure that control plane traffic remains unaffected”. Sometimes the issue can                   be solved by using just an ACL on the interface, but sometimes it’s a little more complicated than that.  So watch out for those

• In case of ZBPF , 2 things to keep in mind
  • If you have to configure traffic policing between 2 zones , along with the “police” command in the policy-map, also specify the “inspect” action. Otherwise it will not work. Inspect is required for police to work. Also, police action is not allowed to be applied on a zone-pair with a member as the “self” zone.
  • I would also suggest that you go through the different types of parameter maps that are possible in ZBPF, they are interesting and there’s a good chance they might be asked in the lab, if they desire to make ZBPF more complicated.
  • Also, everytime i do ZBPF, i use the diagrammatic approach that i blogged about earlier . Do check it out if  you have the time. Hope it helps . Also any suggestions are welcome!

Ok, for the first time , i’m going to have a contest here Well, it’s actually a little too simple to be called a “contest” , but, what the heck! Here are the configs for a transparent ZBPF config.

Everytime i try pinging R2 from R1, the packets are getting dropped. I checked the configs and i notice that although i have the match protocol icmp command , it’s dropping the packets as they are heading to the class-default class and getting dropped. I was facing this issue yesterday and , Ryan Schuett pointed out the issue in 20 seconds.

Good luck! Today i’m going to revisit IPX Lab 2A . This time with vengeance

Cheers,

TacACK