It’s been a long time since i posted a CCIE-sec candidate interview and what better way to start things off again other than an AWESOME interview with CCIE instructor “Brandon Carroll”.

I was fortunate enough to interview Brandon regarding a while back and because of a lot of reasons i got held up doing my own stuff and i couldn’t post it. However, i felt it was about time i posted this article and i’m sure you’ll enjoy this as much as i do. So here we go!

TacACK : Hello Brandon! How are you doing today?

I’m doing well.  I’m working on a number of projects and getting ready for TechFieldDay so its a pretty busy week.

TacACK : For the few CCIE-sec candidates who do not know about Brandon, he’s a CCIE(Security) and a CCSI. Brandon, could you please tell us a little about your CCIE(sec) preparation?

Sure thing.  I’ve been an instructor with a security focus for a number of years.  I teach all the CCSP, now CCNP Security, courses and that was my initial primary preparation method.  I used the knowledge gained there, along with the CCIE Security Written Exam Guide by CCBootcamp to pass the written.  I then used a combination of INE and IPexpert material for the lab.  I own all the workbooks from both vendors as well as the Audio products and Video Products.  I took a 5-day online class from INE and a 5-day live Instructor-led class from IPexpert.  My instructor at INE was Brian Mcgahn and my instructor at IPexpert was Jared Scrivener.  Bot were great instructors.

TacACK : Did you clear the lab on your first attempt? If not , what do you think was missing in your prep?

No I didnt.  The frist time I took the lab was more of a test run to see how it was.  I had no formal training and was in way over my head.  I simply had no time to learn about stuff I had not seen prior to that lab.  The second attempt was after the INE class and I was well prepared for the technology but had no strategy.  The final attempt was after the IPexpert class and I had the perfect strategy and without it I would not have passed.

TacACK : For many candidates (including me) , who couldn’t pass the CCIE on their first attempt, what would your advice to them be? What is the one or many “special” thing(s) that we have to study/lab to cross the hurdle?

Have a plan and stick with it.  Its easy to get sidetracked when you get nervous and frustrated.  If you say you will only spend 10 minutes on a task you MUST move on, even if you will need to come back to it later.  Just stick with the plan.  Also, your life should be spent on the racks.  You should be dreaming about the lab before you go to the lab.  It sounds goofy, but thats how it is.

TacACK : Haha I know a good friend of mine ( Ryan Schuett ) has dreams about configurations! Alright,  now coming to the OEQs. Are there any pointers that you could give us regarding prep for them?

Use Yusufs flash cards.  Other than that, if you know your material they OEQs are a non-issue.

TacACK : What according to you are the most difficult/tricky sections in the CCIE(sec) blueprint?

The ones you don’t know well.  It varies by the person.  For me, it was probably DMVPN troubleshooting.  I think FPM is giving people a run for their money along with GET VPN and multicast rekeying.  Its all fun stuff though!

TacACK : What changes do you see in the near-future in the CCIE(sec) track?

At the moment, not much.  Eventually IOS 15 will need to be introduced along with ASA 8.3 and IPS 7 or 8.  Depending on when things change.  I cant see much in the way of technology being added unless more focus if give to datacenter security which I doubt.  Cisco has been in a bit of a lull with Security in general and i think that drives what the program does.

TacACK : What do you feel is the #1 mistake that CCIE(sec) candidates make?

They overthink some things and underthing others.  You have to find a balance.  Yes you only do what you are told, but you better think about what is affected by what you change.

TacACK : That’ s a tough one. I have the same problem. Ok moving onto more lighter things, what is your daily schedule like?

Basically I’m up at 6 or so, sometimes earlier.  I spend about an hour reviewing email, twitter, facebook and so on.  If I’m teaching a class its basically start teaching at 8:30, lecture / break/ email/ read RSS feeds/ Start a new blog post.  At lunch I typicall schedule all my conference calls or I read and lab.When students are doing labs so am I.After work I hang out with my kids a bit, read some more, blog some more, lab some more.I head to bed around midnight every day.

TacACK : On an average, how much time do you spend reading everyday?

I couldn’t even guess.  I read off and on all day long and its usually multiple sources, books, blogs, etc.

TacACK : What are the 5 things that you recommend every CCIE(sec) candidate to do

Read, Lab, Listen to VoD and Audio, Rest, and take at least one class with a live instructor

TacACK : That’s great advice  Brandon! Thanks a lot for the interview , where can one reach you if they wanted to talk to you/take some of your classes?

Im on twitter @brandoncarroll, of my blog at http://www.globalconfig.net.  You can find my contact info there for links to facebook, linkedin and so on.

TacACK : Again, thanks a lot for the interview Brandon. I really appreciate this and i bet so will all the CCIE(sec) candidates who read this!

Thank you! I appreciate being able to assist people in their journey to CCIE!

Wasn’t that a great interview! One thing i absolutely admire in Brandon and many other CCIE instructors is the fact that , despite their hectic schedules, they still keep aside time to talk to their students and answer their questions patiently. I guess that’s the difference between an instructor who is good and an instructor who is just plain Awesome. Brandon definitely falls into the latter category!

Cheers,
TacACK

There was recently a question on OSL regarding fragmentation on IPSEC and GRE tunnels. This was a shady topic to me and i decided to do some study on it. After some search, i found this incredible whitepaper from Cisco which had all the details that i was looking for. You can find the link to the document below.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

I love the graphics on the whitepaper which give us a detailed picture of the fragmentation process in tunnels and the different places where the packet can get fragmented in a GRE tunnel . I must say, this is DEFINITELY one of the most informative documents that i’ve come across and i hope it helps you as much as it did to me.

Cheers,

TacACK

EDIT : I have to admit, this paper pretty lengthy and time-consuming , so i would suggest giving it about 1.5 – 2 hours of quiet time for all of it to seep in . Again, that’s just what works for me

I have come across many awesome links through the course of the last 2 years of study and i will try and share them with you as much as i can.

Here are 3 of them which i was reading today:

• Control Plane Policing
  • http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
• Control Plane Protection
  • http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html#wp1121935
• Control Plane Logging
  • http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_cpl.html

These will not be available as a part of the standard CCIE-LAB documentation, but nonetheless,  i find these documents very good. They drive home the concepts very well and i’m sure they’ll help the reader get a clearer picture about the different Control plane protection mechanisms.

Cheers,
TacACK

It’s been a while since my 2nd attempt ( about a week ) and i’m still wondering what went wrong. Yes, i failed my second attempt . What made it even worse was the fact that like my previous attempt, i flunked in both the OEQ section and the lab section. I guess that’s what makes this so hard for me to digest.

I was hoping to atleast clear the lab section if not for the crazy OEQs . But to be honest, i’m not sure what went wrong. I thought i’d done all the right prep, done my share of vol-1 labs , vol -2 labs. I might not be super-smart, but i’ve tried to squeeze every minute of my daily schedule to work on this for the last 2 years.

That’s what makes it disheartening.

I know there are some who have attempted many times and yet failed, but what i badly want to know is why i failed. Since cisco doesn’t tell us why, there’s fat chance of that happening.

Overall, i still think taking this positively is the right way to go for me, but that’s going to take sometime. Right now, i’m still a little down about the whole thing. But , one thing is for certain, i’m not taking another lab anytime soon. I want to master each and every topic before i even think of going for another attempt.

Secondly, i WILL not do dumps no matter how many times i flunk this. I hate dumps. I do not think people who do dumps deserve their CCIE digits. I don’t care if i become a ccie at 67 , but no dumps.

My plan of doing some tutorials is still on, but at the moment, i honestly don’t know when i’m going to be starting it. It will be soon though ( within the first 2 weeks of January ) .

Sorry to go emo on you, but since this blog reflects my CCIE-sec journey, so i put this blogpost in too.

Cheers,
TacACK

I’m hoping to launch a new project , for which i’m holding some test-runs very soon. I will be taking on a  topic in the CCIE-sec blueprint and i’ll be holding a full 5-6 class on it. Again, i’m not a professional and this is going to be the first time i’m going to be doing something like this. This trial-run is designed so that i can judge my strenghts , weaknesses , etc.

For this, i would like to request 2 ccie-sec candidates ( the ideal audience would be people who are just starting out with their CCIE-sec study ) , to be my guinea pigs . This will be a 5-6 hour session and i will try and cover as much about the topic as possible with detailed slides , labs and explanation. I will also have sometime reserved for questions/doubts that you might like to throw at me. I would be super happy if you can maybe spare the allotted time in your busy-schedule and take a seat in my e-class. Also, what i’m looking for is feedback on how the experience could be improved, etc.

Of course, all of this is free and i’m really looking forward to meeting you online and having a wonderful discussion about a CCIE-sec topic. If you’re interested , you can either shoot me an e-mail at tacack at tacack.com , or you can leave a comment to this post.

Cheers,

TacACK

I spent a couple of hours tooling with FTP inspection on the ASA today. To be honest, prior to today, i didn’t know how exactly things worked. Anyways , after doing some study i now feel pretty confident about the technology , so i recorded a small video to share it with the rest of the ccie-sec community. Here it is!

Please feel free to contact me by either leaving comments to this post or sending me an email ( tacack at tacack dot com ). I’d really appreciate it if you could maybe point out some mistakes in my explanation/understanding.

Take care and have a great weekend!

TacACK

I’m just going to keep up the same study plan that i had followed for my first attempt but i’m going to add a couple of extra features in there which i didn’t do the last time around :

• Go through the solutions. I can’t believe i messed this up the first time around and believe me when i tell you, even if you’ve got the answer, it always pays to look through the solutions
• Participate in forums. If you’ve gone through Kingsley’s interview ( previous blog-post ) , you must have realized how much forums can activate one’s thought process. I find it very helpful and i plan on continuing to participate in OSL and CLND
• Try and watch all the tutorial videos that i can find my hands on
• Finish the online bootcamp that i’ve ordered from INE
• Go through Yusuf’s book prior to the lab. This will prove invaluable in getting the OEQs right  ( Atleast that’s my belief )(and finally!)
• Go through all the configuration examples in the doc-cd.

After a 2 week forced break, i’m happy that i’m back to labbing. Although my brain’s kinda rusty at this point, i’m doing my best to keep it greased and running by labbing . I did the INE IOS-Firewall Vol1 lab yesterday and i’m going to do the IPX vol 2A lab today ( pure evil! ).

Also, i hope you’re all doing well and kicking some serious ccie-sec butt! Do let me know about your study techniques and i’d be glad to put them up here.

Cheers and have a wonderful day!
TacACK

In an earlier blogpost , i’ve explained the basics of L2TP . In this video, we’re going to be talking about L2TP over IPSec , which is a configuration task in the CCIE-Security Lab blueprint. I thought it would be better if i did a video rather than write about it.

So here it is.

I’d love to hear feedback on how you found the video and what things i could do to improve my technical/presentation skills.

Cheers,

TacACK

I’m working on an article ( for a change i’m taking time out to write this ) and i thought i’d share some great videos with you. These videos are not created by me, they are created by Brandon Carroll ( CCIE #23837 (security) ).

As you might already know, Brandon Carroll is an awesome instructor who worked for IPX and is now working for Ascolta Training. He runs a very informative blog and he regularly posts articles there and i find them very helpful.

Yesterday, i came across some videos on his blogsite which were very impressive. He shows us how to configure Anyconnect VPN on the ASA, using the ASDM. If you’re an ASDM fanboy, then this video is a must-watch! Even otherwise, i’d highly recommend watching this because you’re getting free lessons from Brandon who is very well known for his deep technical knowledge and excellent explanation skills. I’ve loved all the IPX videos that Brandon has done and i hope to meet him someday . So, here are the videos!

PART 1 -> http://globalconfig.net/2010/09/10/configuring-ssl-vpn-with-full-tunnel-access-on-cisco-asa-8-2/

PART 2 -> http://globalconfig.net/2010/09/13/configuring-ssl-vpn-with-full-tunnel-access-on-cisco-asa-8-2-part-2/

Again, many thanks to Brandon for posting such great material .

Cheers and Happy studying,

TacACK

Hello All,

I have a treat for you today. Well, to be honest , it’s more like a treat for myself , but i thought someone might find it useful too! It’s the NAT IOS order of operation . I’ve tried , tried and tried unsuccessfully to find the exact order of IOS Nat in the Doc-CD. So, this morning, i decided the only way i’m going to find it out is by labbing up a test-scenario where i could manually test out the order of IOS NAT. What better way to learn than by practice right?

Ok, as a foreword, the NAT order of operation on the ASA is fairly easy to find in the Doc-CD and it’s as follows :

NAT exemption

Static NAT, Static Policy NAT

Static PAT , Static Policy PAT

Policy NAT

Dynamic NAT

For the IOS , i found that the order is as follows :

Static NAT

Static PAT

Dynamic NAT using Access lists

Dynamic PAT using Access lists

Static NAT using Route-maps / Dynamic NAT using Route-maps .


• • If both Static NAT using route-maps and Dynamic NAT using route-maps is configured, then the precedence works as follows :
    • The ROUTE-MAP names are compared lexicographically. The NAT entry with a route-map which has a higher lexicographic value than the other is preferred.
    • If the ROUTE-MAPs are identical lexicographically, then Static NAT gets preference over Dynamic NAT
      

Static PAT using Route-maps /Dynamic PAT using Route-maps


• • Same as the previous point.
    

Again, if you feel i’ve erred somewhere, please feel free to point out the mistakes either in the comments section or by leaving a small message on the chatbox on the right-hand-bar.

I’m really happy i finally figured this out, because i can now know exactly how the NAT statements are processed in the IOS. Hope you find this helpful too!

Cheers,
TacACK