Archive for July, 2010

INE – 2 , TacACK – 1

Posted by TacAck in CCIE-Security on July 29th, 2010

Hell All,

To sum it up in one sentence, INE vol 2 Lab 4 was HELL( http://en.wikipedia.org/wiki/Hell ) ! The configuration sections were just too long and very very tough. I had a 5.5 hour time period in which i had to finish the lab, but i only managed to finish 4 sections , and half of one other section.

The sections i finished were :

  • ASA
    • Very long
    • I wouldn’t call this tough , but it wasn’t easy either. Required a lot of thinking
  • IOS F/w
    • This section was relatively easy, but it took a long time ( considering that there were only 2 tasks  ).
    • The ZBPF section was a little tricky, because i had to keep revisiting this, because a lot of the later configs had to be accounted for when doing the configuration.
  • VPN
    • There was an IPSec HA section. To be honest, i’d like to think i’m good with IPSec HA ( because i’ve practiced it many times ) , but i just didn’t understand the question.
    • I don’t know if  my understanding was flawed or if the question was worded badly. Either way, i couldn’t configure it.
    • There was a troubleshooting question here , which was pretty simple. Again, this got a little more complicated because, the router which had the issue was also running ZBPF. So , had to account for that. ( More time spent )
  • ID MGMT
    • They had 2 , i repeat 2 NAC sections. Since i didn’t know NAC , i just skipped these and moved on
    • Even the command authorization section was tough.
  • CONTROL PLANE SECURITY
    • 2/3 tasks were easy.
    • One task was tough. ( required a lot of thinking , digging up the doc-cd ). However i’m still not convinced about the answer. I must ask some folks on OSL.
  • IPS
    • The only section which was simple.
    • The penultimate task threw me off slightly, but i somehow figured out what to do. (Took some time)
  • ADVANCED SECURITY
    • Again, not very difficult configurations, but they were very detailed and i took a lot of time configuring and testing them. I’d like to think they’re correct, but i’ll only know once i tally them with the answers.
    • I skipped the last task because i felt i was running out of time.
  • NETWORK ATTACKS
    • Didn’t have time to do this.

As you can see, i couldn’t finish the lab in the 5.5 hours. So i managed to save the configs and i’m going to try it again sometime soon ( maybe tomorrow ).

I’d love to hear from you about how your studies are going! :) Please feel free to buzz me on twitter ( @tacack ) , or by e-mail ( tacack at tacack dot com ) , or by just commenting to this post.

Cheers and Happy studying!

TacACK

2 Comments

INE vol 2 – Lab 4 revision today

Posted by TacAck in CCIE-Security on July 28th, 2010

Hello All!

I had an interesting day yesterday! I didn’t have any rack-rentals scheduled as i was scheduled to be spending most of my day doing some work-related stuff. I did that till about 3 PM and then i fired up good ‘ol GNS3 and started doing some small labs. I had forgotten how much FUN this was! :) Here are a couple of things that i labbed yesterday :

  • DNS rewrite on the ASAs
    • This was a simple topic but i have issues getting this to work 100% of the time, so i decided to spend some time labbing this. Only then did i figure out how complex this actually is. I was referring to the Doc-cd page for “Application inspection” on the ASA and i found some very interesting scenarios(one in particular) which i wanted to share with you.
    • It’s called DNS rewrite with  3 NAT zones
      • We all know how DNS rewrite works. Most of the times, out of habit, we generally configure only 2 NAT zones when we have to test this (ex : inside,outside) . So what happens is , the “A-record” in the DNS response gets translated according to the static nat entry.
      • Now, add another zone. It gets interesting now. What happens if, the user is on the inside, the web-server is on the dmz  and the DNS server is on the outside. How does rewrite actually work. For this i found an awesome section -> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1336066 , which gives us a clear picture on how this happens. I also labbed this up and i was happy to see it working as expected.
    • I also tried the “alias” command and that worked too.
  • Local IOS command authorization
    • I was revising IPX Vol 2 – Lab 11 , and i found that i was n0t too confident about the local command authorization section. So , i fired up a small lab and proceeded to do it. I’m now confident about how this works and i’m sure i could work my way through this task , if i face it again.
  • AAA Cut-through-proxy on the ASA
    • I had configured regular CTP on the ASA before ( aaa authentication match <ACL> inside <method>) . But i was wondering what the “aaa authentication listener” command did. So i read up on some documentation ( which , i must say , i’m not very impressed with ) and i started configuring this.
    • I learnt that, by entering the “aaa authentication listener” command with the “redirect” , we are redirected to a fancy new page where we have to enter our credentials , instead of the usual pop-up box that we usually get.
    • But, without the redirect keyword, it performs CTP just the usual way . I don’t see any difference in adding the aaa authentication listener command. If someone knows the difference, i’d love to know what it is?!

One thing which i do regularly is to revisit the doc-cd to read about the order of processing of the classes/actions in policy-maps on the ASAs.  I find this VERY helpful http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html#wp1083060 as i go about labbing. This can definitely make/break a configuration and i would suggest you are well versed with it.

Today, i have a rack-rental scheduled where i’m going to revisit INE vol2 – lab 4 . I’ll be keeping notes on how it went and i’ll definitely share it with you tomorrow.

Have a great day!

Cheers,

TacACK

No Comments

After a long time!

Posted by TacAck in CCIE-Security on July 27th, 2010

Hello All,

It’s been a while since i posted about my study , partly because i’ve been held up doing a lot of miscellaneous jobs. Work ( Coding in ADA ) is really hectic these days and i’m unable to allocate the amount of the time that i would like to allocate to studies and labbing. However i have been studying and labbing whenever i can and here’s a list of things that i’ve done / things i need to do.

DONE

  • INE Vol 2 – Lab 1
  • INE Vol 2 – Lab 2
  • INE Vol 2 – Lab 3
  • INE Vol 2 – Lab 10
  • IPX Vol 2 – Lab 11
  • IPX Vol 2 – Lab 12 ( In progress )

Although, i have done all of these labs, i’m not sure i’ll be able to nail them again because i havent revised the topics that i had difficulties configuring. I must do that sometime this week and ensure that i know the contents of these labs inside out.

Today, i was doing IPX Vol 2 – Lab 12. I always have difficulties with IPX (and some INE) labs. That’s because they’re really hard, elaborate and take a whole lotta time . For me, it’s nearly impossible finishing it in the 8 hour period. I had about 7 hours of quality lab time today, out of which , i  spent an hour re-drawing the diagram and going through the configuration items at the beginning. In the remaining time i could configure 5/8 sections. I have saved the configs and will continue the next time i have a rack-rental. I was a little worried this morning regarding my speed. I thought i was the only one with the slow speed and i was trying to analyze if there was something i was doing/missing, which was causing the slow speed.

But then, later today , i had the good fortune to talk to Kingsley and Toyos about the IPX labs and i found out that both of them were taking a little more time than the allotted 8 hours to finish the lab. This put my mind to ease, because i knew everyone was finding these labs hard and it was not only me.

I hope to get some office work done tomorrow and also study some stuff about NAC , practice some ACS configurations. I also hope to do the first lab in “Yusuf’s workbook” the day-after-tomorrow. Let’s see how that goes. Very excited! :)

See you tomorrow!

Cheers and Good night!

TacACK

No Comments

This just in : Toyos Yooyen is a Double CCIE!

Posted by TacAck in CCIE-Security on July 24th, 2010

Hello All,

I received some GREAT news yesterday night on twitter. Toyos Yooyen (@tawtoyos , @tyooyen) had just cleared his CCIE-security lab in Tokyo. Congratulations Toyos! :)

He’s a double CCIE at the age of 24. What a phenomenal acheivement!  He’s been working very hard, knocking out practice lab after practice lab and it’s absolutely inspiring to see such dedication from an individual.Well done Toyos! :)

I know he’ll do very well in his career , so here’s wishing Toyos the best for his next CCIE! :)

Cheers,
TacACK

No Comments

CCIE-sec (ex-candidate) Interviews : Paul Stewart

Posted by TacAck in CCIE-sec candidate Interviews on July 21st, 2010

Have i got a treat for you! I know i’ve been quiet for sometime , but now i’m back! :) And i’ve got an awesome article here for you. It’s really special and inspiring because it’s an interview with “Paul Stewart” ( or @packetu , as we tweeps know him ).

Paul has been one of the first few guys i met on twitter and i’ve been interacting with him for sometime now. He’s very very helpful and knowledgeable and most importantly an exceptional person. His ability to take the most complex scenarios , break it down and explain it to someone has won him accolades everywhere. Recently, CLND recognized Paul as one of it’s top contributers. He’s rated #3 among all the people in CLND and #1 in the CCIE-security group in contributions.

As a testament to all his knowledge and hard-work, Paul cleared the CCIE-sec lab recently! :) He’s one of the few guys i look up to , admire and try and emulate. He’s a CCIE , a friend and a great person. This is why i was really excited when he agreed to answer my questions!

I hope this motivates you and helps you in your quest for the elusive digits.

TacACK : Hello Paul! How are you doing today?

I am doing great.  The weather is nice, and its not Monday.  I am actually working on a few off-the-wall projects that will be interesting.  One includes a Cisco UCS-C, which from what I can tell is the small business version of the UCS.

TacACK : To the few people who don’t know who you are, could you please tell us where are you from?

I am from London, Kentucky.  For those who are familiar with the geography of the US, that is about 150 miles south of Cincinnati, Ohio and about 300 miles north of Atlanta, Georgia.  I actually work primarily in Lexington, Ky, about an hour commute from my home.

TacACK : First of all, congrats on passing the CCIE-security lab! I always knew you’d kill the lab and you did it!

I wouldn’t necessarily say that I killed it, but I was certainly glad that I passed

TacACK : How did you celebrate when you saw the e-mail!?

I was actually in my hotel room in San Jose, California with my family.  Everyone was sleeping because of the 3 hour time difference. I kept getting up to see if I had received an email yet.  Finally at about midnight, I received an email with a link asking me to log in. When I did so, there was a “congratulations on becoming a CCIE”.  I was nearly moved to tears.  This was such a journey for me.  As far as celebration, I told my wife the good news and spent some time on twitter.  Finally I went back to bed, but found that I was too excited to sleep.

TacACK :  When and how did your journey into cisco networks start?

I started working with Cisco Network equipment in early 1999 at the consulting company I am still with.  My employment began just as a senior engineer was leaving, so I had the opportunity to do practically anything I could educate myself to do.  During the first couple of years, I found myself in many of those “trial by fire” situations.  Nonetheless, I came through the ranks quickly.  I obtained MCSE, CCNA, CCDA, CCNP and CCDP in a couple of years.  After that I went on a certification hiatus, not seeing the need for the paper.  Eventually I jumped back on board and obtained my CCSP and decided I wanted to go to the next level, the CCIE Security.

TacACK : Why did you opt for CCIE-security?

I opted for CCIE Security after quite a bit of thought.  Before actually choosing security, I made the decision to pursue the CCIE.  I wanted to push my knowledge to the next level and I really enjoy networking.  Most engineers choose Routing and Switching as their first CCIE.  My company has always dealt with a lot of small and medium sized businesses.  As a result, the Security track matched my day to day work much more closely than the Routing and Switching.  I do enjoy security, but the reason I chose it was because it was a better fit for me.  I may pursue a second CCIE in the future.  If so,
that will probably be Routing and Switching.

TacACK : What materials did you use for your study?

I primarily used the IPExpert materials.  This included the AoD, VoD and most importantly the practice labs.  I used Proctor Labs for access to Cisco equipment.  I also attended the IPExpert one week bootcamp.  Another item that I found extremely useful was Yusuf Bhaiji’s new practice labs.

TacACK : On a scale of 1..10 , how close are the ccie material to the actual lab ?

That’s a little difficult to answer.  I think Yusuf’s labs quite similar, so I’d say an 8 or 9 for that.  IPExperts materials were a little more different than the real lab.  The good news is that I think the lab is a bit easier.  In my opinion someone can do very well on these practice materials, I think they’ll do okay on the lab. While working through the practice materials, it is important to understand the details.  When taking the real lab, time management is very important.

TacACK : What was your daily study plan like?

In the beginning, I went through the labs in volume one.  As time progressed, I began assessing myself against the blueprint.  Most Saturdays I leased 16 hours of rack time, but sometimes I couldn’t concentrate for the full amount of time.  During the week, I read and done “mini-labs” on my own equipment.  These mini-labs weren’t formal in the sense that someone wrote them.  I simply went through the blueprint and messed with configurations that encompassed the features I’d be tested on.

TacACK : How did you manage to focus on studies/dedicate so much time for study with a family?

That is a very tough and delicate balancing act.  To be honest, I’m not sure that I done a great job at this.  For me, I had a special circumstance in which my 10 year old son had a brain hemorrhage about 3 days after I returned from my first attempt.  So I had some time that I just totally forgot about the CCIE and focused on his situation.  After some scary times, major surgery and a lot of prayers, he has made a full recovery.  He actually made the trip with me to San Jose when I passed on the second attempt.

TacACK : You were featured on CLND for your awesome contribution and as a candidate i’d like to thank you for all the help that you’ve extended to the CCIE community. Also on twitter, you’ve helped me by answering many of my questions and by simply inspiring me. Thank you! Do you lookup to anyone for  inspiration/motivation?

I love Cisco Learning Network Discussions.  That site is such a great community of people at all levels.  I really enjoy the discussions and knowledge that I can obtain and share through all channels.  As far as looking up to people, there are many and they are at all levels.  I am really encouraged to see people who are just getting started but are really putting forth effort and getting this stuff.  I also look up to those who are seasoned, but continue to learn.  I am inspired by the learning process and those who continue to push themselves toward more knowledge.

TacACK : 5 tips to any ccie-sec candidate?

1. Don’t underestimate the time required to prepare for the lab.
2. Get very familiar with the CCIE Security Blueprint
3. Pay attention to every detail of every question.
4. Participate in the study groups like OSL, Group Study and Cisco
Learning Network.
5. Time management (have an attack plan in studies and on the lab)

TacACK : What are your future plans like? Consulting? Training?

Yes to both!  I will continue consulting, but have a strong desire to start training.  I am currently in the process of becoming a Cisco Instructor.  Once that process is complete, I hope to spend a week or two a month delivering classes and helping students build a strong foundation for knowledge.  This is a completely new and exciting area for me, so I have a lot to learn too.

You can reach paul through his website www.packetu.com and through twitter http://twitter.com/packetu.

That’s a great interview. Thanks a lot Paul! You’ve helped me and a lot of people through your efforts on CLND and twitter :) . Here’s wishing you all the best for a bright and illustrious career. Hope you all enjoyed this!

Cheers,

TacACK

No Comments