+ Reply to Thread
Page 2 of 2 First 12
Results 26 to 50 of 50
  1. Junior Member Registered Member
    Join Date
    Sep 2016
    Location
    Hawaii
    Posts
    6
    #26
    I'm also in the Z2H class, this is Cliff. I plan to take the v5 written next year.

    Since our class was rescheduled, I've been labbing all weekend and doing related work projects. I've got a VPN RA deployment and guest wireless project all using ISE to secure the endpoints (4 x ASA 5585's in active/standby pairs or maybe clustering depending on what we learn in the class).
    Just got the ASA's and ISE configured with multificator authentication for Cisco Anyconnect as part of the RA deployment. Meeting with engineering team tomorrow to go over design for ISE pushing dACL's to the AC endpoints.

    A comment on the ISE switch config. This is optional and not needed for the minimal config you are labbing. I ran into a production issue when a switch stack lost connectivity to the ISE nodes due to a routing issue and the voice vlan stopped working. Traced it to a missing command on the interfaces:

    authentication event server dead action authorize voice

    After entering this command on the appropriate port ranges and bouncing the ports the voice vlan was restored.

    The following command was in place:

    authentication event server dead action reinitialize vlan xxx

    This enabled workstations to continue functioning on the data vlan xxx, but without the voice authorization command the IP phones stayed in the data vlan.

    This is nicely documented in Iris's blog under Radius session timeout in her 802.1x switch config article.

    Not sure how relevant this is to the lab exam, but something to keep in mind with respect to designing out a production network and proper placement of ISE nodes (we have 6 in our production environment). I looked ahead into the Vol3 workbook but couldn't find anything related (just MAB'ing and profiling IP phones). I'd like to test this scenario once Piotr has our pods up tho. I was looking at the class topology, and I can shutdown vlan 203 to simulate this issue.

    Good luck on your lab prep for December. BTW, what did books did you end up using for the v4.1 written? I saw an earlier post when you were figuring out which books to use.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #27
    Thank you for the comments on ISE.

    I took written v4.0. I read Cisco Firewalls; partially IPsec VPN Design, Network security principles and practices (partially due to the book's age). RFC's listed here: Study/Learn Resources - Cisco A lot of white papers on securing protocols and security design.

    I failed my first attempt by 30 points. Most of the questions I answered wrong were about IPv6 security and TrustSec. Plus, I made some very careless mistakes. Re-booked the exam for a date three weeks later(mandatory wait time), studied my weak areas and passed the second time.

    Edit: Forgot to mention VPNs. I used VPN configuration guides and labbed them in GNS3. It seemed like the only way for me to understand DMVPN phase 2 and 3 was to see how it works.
    Last edited by Kreken; 09-06-2016 at 05:54 PM.
    Reply With Quote Quote  

  4. Junior Member Registered Member
    Join Date
    Sep 2016
    Location
    Hawaii
    Posts
    6
    #28
    Thank you, that really helps for scoping out the required reading and planning a study schedule for the core technologies. For v5 I'll supplement/replace with the new tech topics (eg, FP instead of legacy IPS).

    For ISE, I'm reading the 802.1x IEEE spec to become more familiar with the standard. I read through the SISAS book and will be picking up Practical Deployment of Cisco ISE mentioned previously on this thread.

    In a prior thread you had mentioned drawing ASA's and routers in GNS3, typing the configs in notepad, then pasting configs into GNS3 and troubleshooting. I have two 5516's with FP services to play with, but I like the GNS3 approach better for conditioning and building speed for the lab.
    Reply With Quote Quote  

  5. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #29
    Anytime. Another thing I forgot to suggest is to read the release notes for the major releases.

    If you are going for v5 lab, you will have to use ASAv in GNS3. Since it runs as qemu, I would suggest to install a loopback on your NIC, connect it to a cloud in GNS3 and connect ASAv to a cloud (like in this guide: ASA 8.4 with ASDM on GNS3 - Step by Step Guide - XeruNetworks). That way you can use Putty on your desktop to configure ASA otherwise it would be a pain in the back (you can't scroll, copy&paste and etc). ASAv doesn't support multiple contexts so you would need either a physical device or use 8.2 or .4 ASA image in GNS3.
    Reply With Quote Quote  

  6. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #30
    This week I finished going over the last of the material that I think I will need for the lab. From this point, besides the class on Saturdays, it will only be labbing. My schedule is Monday through Friday I spend on average 3.5-4 hours daily, 8 hours class on Saturday and I take a break on Sunday.
    Reply With Quote Quote  

  7. Junior Member Registered Member
    Join Date
    Sep 2016
    Location
    Hawaii
    Posts
    6
    #31
    I got ASA 8.4 working under GNS3. I struggled with formatting disk0 and saving configs but I've finally got it working. I'm working with my local Cisco Sales Engineer to get ASAv and the other evaluation downloads from Cisco.

    Are you using the Z2H lab workbook set or are you using something like the INE CCIE Security Practice Lab workbook to prep and simulate the lab tshoot/diag/config exam experience? I understand Piotr won't be covering legacy IPS in the class. With no legacy IPS in our pods, I imagine you've built the IPS lab related topologies in your home lab. I've been reading the legacy IPS config tasks in the Z2H Vol 2 workbook.

    I'm reconsidering taking the v4 written and lab before they're gone. At my new job, I work with legacy IPS, old Cisco VPN concentrators, and an older version of ISE. I'm not sure how the v5 tech will fit into my production network as of yet.

    Will it be possible to do v4 lab exam retakes after January 2017? I recall your lab is scheduled in December. I'm still tossing this around as I may end up not having enough time.
    Reply With Quote Quote  

  8. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #32
    I am going through Z2H lab workbook and I build and troubleshoot my own. I don't build them to be extensive so one topology could be used for everything; I break it down by specific topics so it's easier and quicker to setup. I would recommend to try and build your own at least a couple of times. After a while, you realize there is only so many ways you can break it as a traffic still needs to get through.

    I don't think it's possible to do v4 after 30th January. That's why I scheduled my for early December so if I fail, I could still try to get in one more attempt after 30 days wait time.
    Reply With Quote Quote  

  9. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #33
    I accidentally dropped on the blog of one our forums goers, ccie14023. I couldn't stop reading. Highly recommend.

    In one of his articles, Multiple CCIE’s, multiple attempts | SubnetZero, he talks about his attempts and preparations for the security lab. He also created his own lab scenarios and didn't really use a workbook. Reading that gave me a little boost in confidence that there are other people who prepared the same way as I do and passed the exam.

    His suggestion to use block diagrams to memorize IPsec configuration is spot on. I have a mental checklist that I go through to help me with the config but I will follow his suggestion and create one for EZVPN. Something called EZVPN shouldn't be that overly long and complicated.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Oct 2014
    Location
    San Francisco
    Posts
    104

    Certifications
    CCIE#14023 (R/S, Sec), JNCIE-SP #2332
    #34
    Quote Originally Posted by Kreken View Post
    I accidentally dropped on the blog of one our forums goers, ccie14023. I couldn't stop reading. Highly recommend.
    Thanks for the kind words. I was hoping to provide a little inspiration for those who are working on this test. I remember how much that mattered to me when I was preparing for it. I've been working on the last post ("The Value of a CCIE") for months now. I've been working at Cisco for a year now as a Principal TME working on switching programmability/automation, so I think I have some interesting contributions to this perennial question. Supposedly we are in a software world and CLI will go away, and the CCIE will be worthless. I've been putting a lot of thought into it, so you'll have to wait to see my answer. Meanwhile I still need to clean up the posts a bit. Unfortunately I linked to groupstudy.com threads in several of the articles, but they've gone off-line. There were some really classic posts in there (like Bruce Caslow's reaction to the "new" one-day exam) which I hope are not lost forever. I should have grabbed the text instead of linking. Ah well. As for EZVPN... Man I got killed on all the IPSec configs and realized I needed a new way to visualize them. And I agree, from day one I noticed there was nothing EZ about EZVPN. Every exam is different, however, and I used none of those techniques when I took the JNCIE in 2014. It's always an adventure. Anyway, the link to the whole series is here: 10 years a CCIE | SubnetZero Thanks again.
    Reply With Quote Quote  

  11. Junior Member Registered Member
    Join Date
    Sep 2016
    Location
    Hawaii
    Posts
    6
    #35
    krekken,

    Thank you for citing ccie14023's blog. I spoke to my boss yesterday and he said I can go for the v4 written and lab exams . If I take the written on Nov. 18, I'll have one shot at a re-take in December. Should I pass in December, I'll have one shot at the lab before it changes to v5. I'll be essentially preparing for the lab and written at the same time. Based on your write-ups and ccie14023's blog, a home, always on lab versus rack rentals sounds like the best setup. The Z2H pod is not quite there yet to lab all the topics. Unfortunately, I don't have the home lab built so I'll need to build it on the fly in the order of topics being labbed.

    ccie14023,

    Your blog is indeed inspirational. The switch from Voice to Security was a real twist. I appreciate the block diagrams as well to visualize the IPsec setup process. Reminds me of the diagrams in the Richard Stevens TCP/IP Illustrated book.
    Reply With Quote Quote  

  12. Senior Member mbarrett's Avatar
    Join Date
    Apr 2016
    Location
    DC
    Posts
    193

    Certifications
    CISSP CEH CCNP Security
    #36
    Quote Originally Posted by ccie14023 View Post
    Anyway, the link to the whole series is here: 10 years a CCIE | SubnetZero Thanks again.
    Thanks for the link to your blog - very interesting read. Nice walk back in time.

    Unfortunately I linked to groupstudy.com threads in several of the articles, but they've gone off-line. There were some really classic posts in there (like Bruce Caslow's reaction to the "new" one-day exam) which I hope are not lost forever. I should have grabbed the text instead of linking.
    I noticed that as well. The internet archive has much of that site cached, I didn't find specific mailing list posts though - maybe I just didn't look far enough.
    Last edited by mbarrett; 09-22-2016 at 11:13 AM.
    Reply With Quote Quote  

  13. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #37
    @ccie14023, thank you for stopping by. The story A CCIE Goes Home to Cisco | SubnetZero is great. It reminded me of my interview for the previous job. The interviewer was a CCIE and it was done in a troubleshooting style. For each question, I had to give five/six answers. It wasn't very long but it was brutal. By the time I got home, I had an offer in my email. To this day, passing that interview feels like an accomplishment.

    @emporio armani, that is an aggressive schedule. I wish you luck. About the lab... I built the lab on a server but most of the time I don't use it. I do everything on my desktop (i5 w/12GB RAM) at work. I run ISE, WSA and WLC in VMware player. I use a small 3560 on my desk and the rest, routers for VPNs and ASAs are in GNS3. It shouldn't take more than a couple of hours to get everything setup.
    Reply With Quote Quote  

  14. Junior Member
    Join Date
    Jan 2016
    Location
    Canada
    Posts
    24
    #38
    Hi;

    I have my Sec v4 lab scheduled for Jan 2017. I will have one shot at it before V5 takes over. Will CCIE Sec v4 written qualify for v5 lab?

    Thanks,
    Fumanchu
    Reply With Quote Quote  

  15. Junior Member Registered Member
    Join Date
    Sep 2016
    Location
    Hawaii
    Posts
    6
    #39
    @fumanchu, yes the Sec v4 written will qualify for the v5 lab. A Cisco Learning Network Moderator on this thread in the Cisco CCIE Security Study Group also confirms you can take the v5 lab with a v4 written pass. I may end up taking the v4 written and v5 lab.
    Reply With Quote Quote  

  16. Junior Member Registered Member
    Join Date
    Sep 2016
    Location
    Hawaii
    Posts
    6
    #40
    fumanchu, yes the Sec v4 written will qualify you for the v5 lab. I may end up taking the v4 written and v5 lab.
    Reply With Quote Quote  

  17. Junior Member
    Join Date
    Jan 2016
    Location
    Canada
    Posts
    24
    #41
    Thank you Emporio.
    Reply With Quote Quote  

  18. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #42
    I just found there is a command in ASA to help you configure VPNs - it lists required steps. IKEv1 only but still.

    ciscoasa(config)# vpnsetup ?

    configure mode commands/options:
    ipsec-remote-access Display IPSec Remote Access Configuration Commands
    l2tp-remote-access Display L2TP/IPSec Configuration Commands
    site-to-site Display IPSec Site-to-Site Configuration Commands
    ssl-remote-access Display SSL Remote Access Configuration Commands
    ciscoasa(config)# vpnsetup ipsec-remote-access ?

    configure mode commands/options:
    steps Display VPN Setup Commands
    ciscoasa(config)# vpnsetup ipsec-remote-access

    ciscoasa(config)# vpnsetup ipsec-remote-access steps

    Steps to configure a remote access IKE/IPSec connection with examples:

    1. Configure Interfaces

    interface GigabitEthernet0/0
    ip address 10.10.4.200 255.255.255.0
    nameif outside
    no shutdown

    interface GigabitEthernet0/1
    ip address 192.168.0.20 255.255.255.0
    nameif inside
    no shutdown

    2. Configure ISAKMP policy

    crypto isakmp policy 65535
    authentication pre-share
    encryption aes
    hash sha

    3. Setup an address pool

    ip local pool client-pool 192.168.1.1-192.168.1.254
    <--- More --->
    etc

    Edit: it is available only in the config mode.
    Last edited by Kreken; 09-27-2016 at 06:31 PM.
    Reply With Quote Quote  

  19. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #43
    It looks like I will get only one attempt at v4 in December. If I fail, I will have to do v5. I've been checking the lab scheduling tool and there is only one date open now for January which could work for me in RTP and none in San Jose.
    Reply With Quote Quote  

  20. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #44
    2.5 weeks left to practice. With the class cancelled on Saturday, it will give me more time to lab VPNs. I think I might have to use Product & Technology site to look up commands for EZVPN.

    Anxiety has been building up and I hope during the exam I won't be a nervous wreck.
    Reply With Quote Quote  

  21. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #45
    tl;dr version
    I failed the lab. Lesson: manage your anxiety better.

    long version
    My flight to NC was uneventful. Upon arrival, I got my rental car and drove to the hotel I was staying in, Comfort Suites. After checking in, I went out to get a dinner; came back and reviewed a little before heading to bed at 9:30pm.

    I was so nervous about the exam, I couldn't fall asleep. With each passing hour, I was getting more anxious because I knew the lack of sleep will have a negative effect on my performance on the lab. My mind was running in this closed circle and I felt like I was slowly loosing it staring at the ceiling. 6AM came and I barely slept. My mind was foggy and I felt exhausted. I went downstairs for the breakfast and could barely force down half a cup of coffee.

    At 7AM, I was at building 3 in Cisco campus. Me and other candidates waited for the proctor to come in and let us into the lab. When he arrived and checked us for electronic devices, we were allowed to sit down at assigned desks and start the exam. Due to sleepless night and anxiety, I could barely think. The section which should have taken me no longer than an hour to complete, took me about two and half.

    My head finally cleared up a little at lunch time and I was able to take a clear look at the lab. By 2PM, I realized there is no way I will be able to finish the tasks and fix the mistakes I did in the first four hours. At that exact moment, I found my inner peace again which was missing for a long time. It was over, not with a desirable result but it was finally over. I would have left at that time but didn't want to hang out at the airport for six hours. So I stayed and did what I could do in the time still left. When the email arrived, it was no surprise I didn't pass.

    My only gripe about the lab is interface. I found it to be annoying with the console screens "always on top" enabled. You can't just highlight and right click like in putty too. You have to select "paste" option. Small things but they do slow you down a little.

    Looking back at the lab right now, if I would have been feeling like I felt today in the morning, I believe I would have a good chance of passing it. There wasn't really anything that I didn't know or was new. Although, there were a couple of issues I was troubleshooting that made me go "wtf".

    If I knew that my anxiety would spiral out of control the night before, I would have taken either some sleeping aid pills or drank a bit of cognac. Lesson learned the hard way.

    I am definitely going back for another try. Most likely it will be for the new v5, since all spots are already taken for v4, and around May-June time frame. For now, I will take a short break from studying, read some design books I wanted to and maybe go on a vacation.

    Cheers. Thanks for reading.
    Reply With Quote Quote  

  22. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,380

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #46
    Sorry to hear about your loss. That sucks If it makes you feel better, the first time I attempted the lab, I spent the weekend in San Jose getting a massage, spa treatment, and the whole works. I slept 8 hours before the test which is 4 more than I usually do and glided into the lab with perfect zen. 8 hours later, I failed by about 1 point. Second time I attempted the lab, I didn't get to take any time off of work prior to that lab, I was working until the moment I got off the phone, and was up until 1AM the night before. I ended up going into the lab with the same amount of sleep as I usually got before I started labbing and I was at my usual stress level and somehow I pulled off a pass. For me, I think the conditions should be as close to how you usually are labbing when you're at home - same level of sleep, pick up a K120 Logitech keyboard or Dell keyboard (depends on the spot you sit in the lab but they're mostly K120s worldwide), get used to arranging your putty windows to match topology when labbing.

    Other general recommendations I can make:
    - Learn to love notepad. It's a great way to spot check your config before you copy/paste, if you copy/paste into the wrong device you have a quick easy config written out to back out, and a lot of the exam might have you doing similar configs which you can easily copy from there
    - Each task, open just the putty windows you need for that section and arrange it like the topology. I liked having the topology up on one window and my putty sessions on the other window so I could correlate
    - You can't know everything but know where to find the important stuff quickly in DocsCD in the event you have a brain fart
    - "Don't knock on the glass. It's not a summoning portal" - LoL
    - Always hug the proctor on the way out the door. It's good luck

    If you do plan on going for the v5 lab, keep me in the loop. We might end up going around the same time.

    My recommendation is also to go to NC the next time you attempt as well. David Blair is sarcastic but at least he does take some of the stress off and he communicates with you. When I went to San Jose for my first attempt, I didn't get any info. The proctor wouldn't even say if they would grade the lab or someone else would. David could seem off-putting to someone really nervous but I get the sense he really wants people to pass and he tries to help in the ways he can without breaking NDA or holding your hand or helping you actually pass the test.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com/blog
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  23. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #47
    Thanks Iris.

    - Each task, open just the putty windows you need for that section and arrange it like the topology. I liked having the topology up on one window and my putty sessions on the other window so I could correlate

    This is a great advice. Much better than the mess I had on my desktop with everything open.

    - "Don't knock on the glass. It's not a summoning portal" - LoL

    Don't wave to David either. I missed that part so we ended up waving to each other through the glass. hah.
    Reply With Quote Quote  

  24. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,380

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #48
    Hahahaha. David is a really good guy. Next time you go through there, tell him Katherine says hi. He's supposed to do a Webex session with some folks in our study group on "what you need to know before you go into the lab" with some really good logistical advice. I'll record and send you a link
    BS, MS, and CCIE #50931
    Blog: www.network-node.com/blog
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Oct 2014
    Location
    San Francisco
    Posts
    104

    Certifications
    CCIE#14023 (R/S, Sec), JNCIE-SP #2332
    #49
    Many of us have been there.

    CCIE R/S: Didn't sleep either, but managed to pass in one attempt. Don't worry about not sleeping. It's better to be rested of course, but you can do it with no sleep if you have to. Worrying about it just makes it worse.

    CCIE Sec: Three attempts. First time was crash and burn, second time almost made it. Third time was easy.

    JNCIE SP: First time I realized I failed within the first hour. Yeah, you get some peace at that point, but not a good peace. The whole lab was based on one thing that I just couldn't figure out. Second time I passed.

    Point is, you fail and get back on the horse.

    Although I took Security nearly 10 years ago, one thing I always recommend is finding out what setup they will give you in the lab. That, AFAIK, is not under NDA. When I did JNCIE a couple years ago, I got killed because I use a Mac and they had a PC with SecureCRT. I was messing up copying/pasting. That wasn't what failed me, but you can be sure I got a Windows VM on my Mac and played with SecureCRT a bit before I did my second attempt.
    Last edited by ccie14023; 12-14-2016 at 11:11 PM.
    Reply With Quote Quote  

  26. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    261

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #50
    Thank you. Next time it will be different, I hope. The exam will not have a version change for a while so I wouldn't feel the same kind of pressure.
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 2 First 12

Social Networking & Bookmarks