Archive for category CCIE-Security
Back from the dead
Posted by TacAck in CCIE-Security on September 6th, 2010
Hello All!
My apologies for not blogging actively for the last couple of weeks. I really missed blogging and talking to all of you 
As you might(not)? know i had my CCIE-security lab last week and i regret to inform you all that i did not clear it this time. The lab was tougher than my expectations and although i knew i would be flunking it right at the beginning ( thanks to the OEQs) , i was feeling good after the lab because i felt i did the lab portion of it correctly. But, sadly, i later found out that i did’nt clear both the lab and the OEQ sections. This was a little suprising because i thought i had fared well in atleast the configuration section of the lab.
Well, if life has taught us all one lesson , it is to never look back and to work harder to achieve our goals. That’s exactly what i’m going to do.
It’s very overwhelming to receive the amount of support that i’ve received after i announced my results on twitter and OSL. I’m very very thankful to each and every one of you for believing in me and for motivating me to keep the hard-work going. Thank you!
I will be more active and i will post a lot more videos on complex topics which i hope to master too .
Cheers and Happy studying!
TacACK
INE Lab 8 today!
Posted by TacAck in CCIE-Security on August 3rd, 2010
Hello Hello!
I’ve been busy for the last couple of days doing some ccie-sec stuff and also getting some work done. I did INE lab 5 first and i found it REALLY REALLY hard! I don’t think there’s anyway the real exam is going be this hard.
After that, i did INE Lab 7 and i found it pretty fair. Some sections were tough, but most sections were doable. I found some confidence after doing them and i think i need to work a little bit more on my speed.
Later tonight, i’ll be posting a video about how i actually start the lab. This will include how i draw the diagram, how i take down notes ,etc. If you feel i should do anything differently, please feel free to let me know!
Yesterday, i did a lot of Doc-CD study. I studied/did-some labs on IOS NAT, went through the great free whitepapers available on the INE website! I also did some VPN configurations but i just couldn’t get EZVPN to work. :/ I wanted to debug this but couldn’t find the time yesterday.
In about 30 mins time, my rack-rental session starts and i intend to do INE Lab 8 today. Hopefully, it’ll be fun!
P.S : I’m sorry if my blogs don’t have much techy stuff these days, it’s just because there’s so much going on and i’m finding it a little hard to collect it all and blog it. But i promise, after my 1st attempt, i will start blogging in depth about the technologies ( and a little less about my feelings 
)
Cheers and have fun!
TacACK
INE – 2 , TacACK – 1
Posted by TacAck in CCIE-Security on July 29th, 2010
Hell All,
To sum it up in one sentence, INE vol 2 Lab 4 was HELL( http://en.wikipedia.org/wiki/Hell ) ! The configuration sections were just too long and very very tough. I had a 5.5 hour time period in which i had to finish the lab, but i only managed to finish 4 sections , and half of one other section.
The sections i finished were :
- ASA
- Very long
- I wouldn’t call this tough , but it wasn’t easy either. Required a lot of thinking
- IOS F/w
- This section was relatively easy, but it took a long time ( considering that there were only 2 tasks ).
- The ZBPF section was a little tricky, because i had to keep revisiting this, because a lot of the later configs had to be accounted for when doing the configuration.
- VPN
- There was an IPSec HA section. To be honest, i’d like to think i’m good with IPSec HA ( because i’ve practiced it many times ) , but i just didn’t understand the question.
- I don’t know if my understanding was flawed or if the question was worded badly. Either way, i couldn’t configure it.
- There was a troubleshooting question here , which was pretty simple. Again, this got a little more complicated because, the router which had the issue was also running ZBPF. So , had to account for that. ( More time spent )
- ID MGMT
- They had 2 , i repeat 2 NAC sections. Since i didn’t know NAC , i just skipped these and moved on
- Even the command authorization section was tough.
- CONTROL PLANE SECURITY
- 2/3 tasks were easy.
- One task was tough. ( required a lot of thinking , digging up the doc-cd ). However i’m still not convinced about the answer. I must ask some folks on OSL.
- IPS
- The only section which was simple.
- The penultimate task threw me off slightly, but i somehow figured out what to do. (Took some time)
- ADVANCED SECURITY
- Again, not very difficult configurations, but they were very detailed and i took a lot of time configuring and testing them. I’d like to think they’re correct, but i’ll only know once i tally them with the answers.
- I skipped the last task because i felt i was running out of time.
- NETWORK ATTACKS
- Didn’t have time to do this.
As you can see, i couldn’t finish the lab in the 5.5 hours. So i managed to save the configs and i’m going to try it again sometime soon ( maybe tomorrow ).
I’d love to hear from you about how your studies are going! Please feel free to buzz me on twitter ( @tacack ) , or by e-mail ( tacack at tacack dot com ) , or by just commenting to this post.
Cheers and Happy studying!
TacACK
INE vol 2 – Lab 4 revision today
Posted by TacAck in CCIE-Security on July 28th, 2010
Hello All!
I had an interesting day yesterday! I didn’t have any rack-rentals scheduled as i was scheduled to be spending most of my day doing some work-related stuff. I did that till about 3 PM and then i fired up good ‘ol GNS3 and started doing some small labs. I had forgotten how much FUN this was! Here are a couple of things that i labbed yesterday :
- DNS rewrite on the ASAs
- This was a simple topic but i have issues getting this to work 100% of the time, so i decided to spend some time labbing this. Only then did i figure out how complex this actually is. I was referring to the Doc-cd page for “Application inspection” on the ASA and i found some very interesting scenarios(one in particular) which i wanted to share with you.
- It’s called DNS rewrite with 3 NAT zones
- We all know how DNS rewrite works. Most of the times, out of habit, we generally configure only 2 NAT zones when we have to test this (ex : inside,outside) . So what happens is , the “A-record” in the DNS response gets translated according to the static nat entry.
- Now, add another zone. It gets interesting now. What happens if, the user is on the inside, the web-server is on the dmz and the DNS server is on the outside. How does rewrite actually work. For this i found an awesome section -> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1336066 , which gives us a clear picture on how this happens. I also labbed this up and i was happy to see it working as expected.
- I also tried the “alias” command and that worked too.
- Local IOS command authorization
- I was revising IPX Vol 2 – Lab 11 , and i found that i was n0t too confident about the local command authorization section. So , i fired up a small lab and proceeded to do it. I’m now confident about how this works and i’m sure i could work my way through this task , if i face it again.
- AAA Cut-through-proxy on the ASA
- I had configured regular CTP on the ASA before ( aaa authentication match <ACL> inside <method>) . But i was wondering what the “aaa authentication listener” command did. So i read up on some documentation ( which , i must say , i’m not very impressed with ) and i started configuring this.
- I learnt that, by entering the “aaa authentication listener” command with the “redirect” , we are redirected to a fancy new page where we have to enter our credentials , instead of the usual pop-up box that we usually get.
- But, without the redirect keyword, it performs CTP just the usual way . I don’t see any difference in adding the aaa authentication listener command. If someone knows the difference, i’d love to know what it is?!
One thing which i do regularly is to revisit the doc-cd to read about the order of processing of the classes/actions in policy-maps on the ASAs. I find this VERY helpful http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html#wp1083060 as i go about labbing. This can definitely make/break a configuration and i would suggest you are well versed with it.
Today, i have a rack-rental scheduled where i’m going to revisit INE vol2 – lab 4 . I’ll be keeping notes on how it went and i’ll definitely share it with you tomorrow.
Have a great day!
Cheers,
TacACK
After a long time!
Posted by TacAck in CCIE-Security on July 27th, 2010
Hello All,
It’s been a while since i posted about my study , partly because i’ve been held up doing a lot of miscellaneous jobs. Work ( Coding in ADA ) is really hectic these days and i’m unable to allocate the amount of the time that i would like to allocate to studies and labbing. However i have been studying and labbing whenever i can and here’s a list of things that i’ve done / things i need to do.
DONE
- INE Vol 2 – Lab 1
- INE Vol 2 – Lab 2
- INE Vol 2 – Lab 3
- INE Vol 2 – Lab 10
- IPX Vol 2 – Lab 11
- IPX Vol 2 – Lab 12 ( In progress )
Although, i have done all of these labs, i’m not sure i’ll be able to nail them again because i havent revised the topics that i had difficulties configuring. I must do that sometime this week and ensure that i know the contents of these labs inside out.
Today, i was doing IPX Vol 2 – Lab 12. I always have difficulties with IPX (and some INE) labs. That’s because they’re really hard, elaborate and take a whole lotta time . For me, it’s nearly impossible finishing it in the 8 hour period. I had about 7 hours of quality lab time today, out of which , i spent an hour re-drawing the diagram and going through the configuration items at the beginning. In the remaining time i could configure 5/8 sections. I have saved the configs and will continue the next time i have a rack-rental. I was a little worried this morning regarding my speed. I thought i was the only one with the slow speed and i was trying to analyze if there was something i was doing/missing, which was causing the slow speed.
But then, later today , i had the good fortune to talk to Kingsley and Toyos about the IPX labs and i found out that both of them were taking a little more time than the allotted 8 hours to finish the lab. This put my mind to ease, because i knew everyone was finding these labs hard and it was not only me.
I hope to get some office work done tomorrow and also study some stuff about NAC , practice some ACS configurations. I also hope to do the first lab in “Yusuf’s workbook” the day-after-tomorrow. Let’s see how that goes. Very excited!
See you tomorrow!
Cheers and Good night!
TacACK
-
You are currently browsing the archives for the CCIE-Security category.
INTERACT!
Last Message22 hours, 54 minutesago2 guests are online.- Info : Please, resolve the addition below before post any new comment...
- Rami : so i wondering if this exam can be passed or not
- Rami : Am sorry for that, hope you will do it next time, my studying is going on slowly, am little bit fed up, you are the 3rd person i know who didnt clear it, i've 2 of my friends didnt clear it too.
- TacAck : Hello Rami, Well i couldn't clear the lab this time. However i hope to clear it sometime soon How are your studies going ?
- Rami : Hello man, how was you exam?
- TacAck : Hello Guest_1455. Yeah, i guess i'm as ready as i'll ever be Hoping to have a good time.
- Guest_1455 : ready for the exam? did u finalize every thing? good luck
- Guest_1455 : Hello man,
- TacAck : Thank you Rahgovin
- rahgovin : See that your lab exam is coming up soon. All the best for the same Do well.
- TacAck : Thank you , my friend!
- Guest_3723 : it has to be really god meal I wish you good luck man!!!
- TacAck : Yep! I've the lab scheduled on the 31st of this month. Hoping to get atleast a good meal for the $1400
- Guest_3723 : I saw your countdown you are going very soon
- Guest_3723 : I think it is going to be at the end of November.
- TacAck : Thanks a lot Guest_3723! All the best for your ccie-sec journey too. When are you shooting for the lab?
- Guest_3723 : I am also an ccie sec candidate.
- Guest_3723 : Good luck on your exam!
- TacAck : Hello Guest_1455 -> By CLND , I was referring to the Cisco Learning Network Discussions
- Guest_1455 : Hi, what clnd you are talking about?
- TacAck : Hello Guest_2104, please go ahead with your question. I hope to be of some assistance!
- Guest_2104 : anyone thr... i've some doubts
- Guest_2104 : hi
- TacAck : One of my ccie-sec peeps ( Simon Baumann ) just finished his lab in Dubai. Here's wishing him the best of luck!
- TacAck : Thanks for the kind words Pritham!
- Pritham : Wow...another goal from TacACK...nice interview...keep it up
- TacAck : Lol..Ajay! Welcome to my boring world
- Guest_462 : nope im Ajay lol
- TacAck : Hello Guest_462! Thanks for visiting! Are you a ccie-sec candidate too?
- Guest_462 : hey tacAck
- routsec : Another good interview. I wish only the best of luck to Brian A!
- TacAck : Hello! Thanks for visiting. What kinda examples are you looking for? I could help you find them?
- Guest_848 : Ana, thanks for the link to this cool site. Where's the examples of CCNA ACL's?
- TacAck : Thanks Ana. Are you on the CCIE-sec train too?
- Ana : your website is very well structured, I like your explanations. thank you.
- TacAck : @Pritham Thanks for the kind words
- Pritham : Hey tacAck, I just went thru ur short tweenterview wid amplebrain ,really awesum...keep it up
- TacAck : Good luck with your studies, Pritham!
- Pritham : Currently loading CCSP...next CCIE-sec
- TacAck : That's great to hear! Are you studying for CCIE-sec?
- Pritham : @ TacAck...I m frm Mumbai...
- TacAck : Haha @Pritham. Thanks! Where are you from?
- Pritham : Thx Macha...its really inspiring !!!
- TacAck : @LBSources -> Thanks bro. I hope to keep learning and sharing
- LBSources : Your blogging is very inspiring man. CCIE-Sec is the goal for me as well. Thanks for sharing your journey.
- TacAck : Thanks Murad
- Murad Rahman : Cool job with taking notes.
- Murad Rahman : Dude,
- TacAck : @Murad : Hang in there bro, and keep plugging away at the lab
- TacAck : 3) Almost none, but yes there is. I do feel bad when i see my friends chill out and go on vacations,etc , but this is all going to be worth it
- TacAck : 2) Umm..not sure if i understand your question. Could you please elaborate?
- TacAck : 1) Hardware costs a lot and rack-rentals are a lot cheaper. I can rent a rack for about 600-700 hours for half the price of a second-hand ASA
- TacAck : Hello Murad. Here are my answers
- Murad : 2. when you use INE/IPX material, how do you blend it with DOC-CD? 3. Is there any social life for CCIE candidates?
- Murad : Shoutbox sucks!
- Murad : Great Blog! Your blog keeps me motivated although I am not making much progress Unfortunately. I had few questions: 1. why rack rental? - because you don't have hardware cost or because all
- TacAck : Thanks @rahgovin for the encouragement
- rahgovin : hey man...awesome posts...keep up the good work..
- routsec : I have a feeling that we will not be tested on LI views.....
- routsec : Quick update on LI Views, I believe SNMP v3 needs to be enabled along with the view defined. Unfortunately, I don't have a high end router (I have a 2851) that supports the TAP mib. This is why the view is absent I believe...
- Tac-ACK : Hey Ryan! Maybe on the same date? Will def book it tonight..see you on gtalk/wave!
- routsec : The date is set my friend - Aug. 31 Any idea when you will schedule?
- routsec : Have you taken a vacation, I am concerned due to your absence from the digital world....
- TacAck : @routsec : Yes, we can , my friend. We're going to kick it!
- routsec : Well, hopefully we can crunch through the studies in the month of March!
- TacAck : Currently reading some NAC fundamentals!
- TacAck : Would you like to too any topic covered .. Let me know!
- TacAck : Would you like any changes to be made to the site.. Let me know!
- TacAck : EVERYONE my wave id is " ybnmts at googlewave.com"
- TacAck : Hello Tirumala. I've sent you an invite you should be getting one soon.
- Tirumala : please send me wave request to «email»
- TacAck : So will i , my friend
- Routec : Time to get on the wave and do some serious labbing material. I will be on the wave all this week!
- TacAck : Sure Please email me your wave ID and i'll add you right in
- Guest_58 : Can I get google wave invitation from you.
- TacAck : Thanks for the all kickass info that you pose Ryan ( a.k.a Routsec ) . I really appreciate all your help!
- routsec : I have been trying to keep our core knowledge questions coming. Check out some new ones on the Wave!
- TacAck : Yeah control plane security next!
- Routec : Well, I see you put Identity Management on the wave, I have to do some catch up now. Control and Management Plane Security next?
- TacAck : Thanks for the suggestion @routsec. We've started the IPS thread on the wave, next i'm planning to do Attack mitigation/contr ol plane security. Any suggestions/comm ents?
- routsec : I guess we should start coming up with another WAVE topic. I chose IPS, your turn....
- TacAck : Another wave is scheduled at 7 PM UTC on Friday! Be there!
- TacAck : Next Wave at 1:30 AM UTC! See you there Routsec! Others are welcome!
- TacAck : I'll schedule the next one in accordance with either the Pacific or Atlantic time-zone More surfers = better!
- routsec : Too bad we are about 12 hours apart. I would have liked to join you in google wave.
- TacAck : P.S : This is not a twitter feed This's like a Chat engine/live discussion/query tool!
- TacAck : Guys, i'm going to be starting a WAVE at 2 PM IST ( 9:30 AM UTC ) when i start the Lt2p config. Do feel free to join . My google wave id is "ybnmts". Send me a request! Cheers!
- TacAck : I'm making notes for the next article
- TacAck : Alright guys! I'm starting Written study in about 20 mins...
- TacAck : Any feedbacks/commen ts will be appreciated!
- TacAck : Hello everyone! I've integrated this new feature with the site so that we can interact live whenever possible! Cheers!
