Hey all,

I’m starting off my “Vol 1.5″ series labs from today, where will be posting labs which i’m doing . These labs are slightly larger than the vol1 labs and they focus on multiple technologies at the same time. My aim is to get as close to Vol 2 labs as possible Also  Ryan is my CCIE-sec study-partner and we’re following a systematic approach to nail the beast! Thanks, Ryan.

I use Graded labs for my rack-rentals. So the inital configurations are all modified to suit graded-labs.

TARGET TIME : 4 hours

TOPOLOGY :

INITIAL CONFIGS

TASKS

Please let me know if you have any issues with the configuration,etc and please forgive any mistakes in the initial configurations.

Cheers,

TacACK

P.S : Please use either a AAA server or local authentication/authorization for the tasks. I’ll post a lab soon where it uses only the AAA server

Hello All,

I’m starting with all tasks that i’ve rated 7. So i did Filtering, Failover and Tranparent IOS and ASA firewalls. I’ve updated the schedule with the links to the notes that i made

This will ensure that they are easily availble when we wanna check them out later. I’m yet to update the blueprint according to the latest expanded blueprint announced by cisco. I will do that in time ( Too bored )

Cheers and happy studying. Please let me know as to how your studies are going and what you’d like to see here?

TacACK

Hey guys and girls!

I was just about to post a new article on some of the notes that i had made recently. As you all know i recently posted up the CCIE-blueprint as a checklist and i’ve started ticking things off , as i finish them ! Well, here’s the good news..

Cisco, did EXACTLY the same thing and their new( and expanded ) CCIE-v3 blueprint rocks my face! HERE‘s the link to it ( Registered customers only ). If you want it in a PDF format, you can find it HERE.

This is really awesome, as i no longer have to keep guessing about the topics that might be included under a particular section. It’s always a good feeling when you hear it from *THE MAN* himself, rather than providers

I will be updating the CCIE-sec blueprint later today to match this new and improved list.

Cheers!

TacACK

Hey all,

I’m taking a break from Cisco for 2 weeks or so.. ( 2nd week running ) as i prepare for the CWNA cert. Hold on, i’ma be back

Today i was researching if there are any ways to block users have Valid certificates from making VPN connections to a Router. I found that this can be achieved using an IOS feature called Certificate-based ACL’s.( CALC’s ).

Using a CALC we can define a filtering condition for the user certificates , such that only users having certificates which match the filter criteria are permitted to pass through Certificate Authentication and VPN setup. The other users do not even go through the certificate checking process, they are immediately denied VPN access.

SYNTAX

 (conf-t)#crypto pki certificate map <certificate-map-name> <entry-number> 

 Certificate-map-name : Represents the name of the CALC

After creating the CALC, we can specify match conditions  or ACE’s.

# <field-name> <match-criteria> <match-value>

 field-name : Represents which field in the certificate will be used for the filter. There are many options here:

• alt-subject-name
• expires-on
• issuer-name
• name
• serial-number
• subject-name
• unstructured-subject-name
• valid-start

match-criteria : This will indicate “how” the match will take place. This tells how the value indicated in the field- name will be used. The various possibilities are :

• eq , ne , co ( contains ) , nc ( does not contain ) , lt ( less-than ), ge ( greater then or equal to )

match-value : Value which will be used to match against the field-name using the criteria mentioned in match-criteria.

EXAMPLE

#crypto pki certificate map Certs_TB_blocked 10

#subject-name co Marketing

The above CALC will only permit dudes having a “marketing” certificate to create VPN connections to the Router.

In order to apply this CALC, we need to apply this to the trustpoint definition in our Central Router. When the Central router receives a certificate from a user, it checks with it’s trustpoint if the certificate is valid or not. At this junction, the CALC can be applied to identify which certificates should be even checked ( ex : from marketing ) and which should be shown the door ( ex : other deparments who are not eligible to make VPN connections ).

#crypto pki trustpoint Tacack

#match certificate Certs_TB_blocked

#enrollment-url… ( bla bla bla… )

Using this, a powerful certificate filtering feature can be enforced on a Router to limit or police the VPN connections from various users in a company.