+ Reply to Thread
Page 2 of 10 First 12 3456 ... Last
Results 26 to 50 of 237
  1. Junior Member
    Join Date
    Oct 2008
    Location
    Canada
    Posts
    1

    Certifications
    MCSE, CCNA
    #26

    Default How much will the CCSP help??

    Hi all,

    I was just wondering if anybody knows or have an idea about how much having a CCSP will help to get the CCIE Security. This assuming of course that you really know all the stuff included in the CCSP track and have some hands on experience.

    Would you say having CCSP equals being 50%, 70%, 25% (or whatever%) ready for the CCIE SEC?

    Thanks
    Reply With Quote Quote  

  2. SS -->
  3. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #27
    It's hard to quantify, I couldn't imagine trying it without the CCSP but there's a lot more you need to learn. I'd Put it at the 50% mark at most.
    Reply With Quote Quote  

  4. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #28
    And here ends the 2nd Back-Back session/full lab attempt and surprise surprise I actually finished it this time. I reckon taking off breaks it took about 9 hours, so I still need to work on that speed issue. But getting a bit faster each time. The only major problem I had was with Remotely Triggered Black Hole Routing. It relies completely on BGP and Route-map configs which are definitely my weakest areas, and as far as I can see it's not in the lab-accessible docs. I downloaded the Cisco whitepaper and will be going over it tomorrow most likely, and hitting the CBTNuggets BGP modules hard. The problem I had last night with one router not sending/receiving OSPF routing updates (When it was forming neighbor relationships with it's peers) didn't happen tonight, different rack completely but I checked the configs against last night's and the routing was identical. Made me feel a wee bit better that it was the backbone and not my own stupidity.
    I got a bit more used to using Vlan assignments to hop the Test PC around too. Silly I know but I've been walking on glass around the switch configs up until now, no real reason just the hind-brain cross-wiring and associating it with a dark cave .
    I made a few mistakes I caught after checking the solutions, and a few alternate ways of doing the tasks that still worked. I had to use the docs for dot1x, ASA failover, auth-proxy (I HATE auth-proxy, the IOS setup is a mess, on the PIX/ASA it's easy) and IOS EZVPN but all of those I am happy to leave as docs-when-needed - I know when to use them I have a good idea of the setup off the top of my head but the commands are convoluted enough to leave to the documentation.
    The only filtering issue I had was with the VPN3K. Passing a Lan-Lan through it from a Router to the ASA. The VPN3K default Public filter includes IKE/ESP passthrough in both directions so I checked it was applied and then configured the other devices (incl. a PIX also in the middle of the traffic flow). ISAKMP was fine but no ESP back from the ASA. Of course I checked the PIX ACLs, the proxy ACLs on both sides etc. Finally I went back to the VPN3K, not only was the "IPSEC-ESP Out" rule removed from the Public filter it had been deleted completely from the Box . Some plonker had previously used it and wiped it out, if you aren't familiar with this the VPN3k approximates ACLs with Filters, there are a number of preconfigured rules that you can assign into a filter, then you assign the filter to your interface. So there is no reason to ever delete a rule, if you don't want it you just un-assign it from your filter, done...easy...doesn't mess up the guy behind you. Anyway it was easy enough to make a new rule to allow the same traffic and apply it to the Public filter, it was just annoying that someone left it that way. Must remember in future to wipe the configs completely at the start instead of presuming the boxes were reloaded.

    Anyway that's it. After 2 of these in a row I am completely exhausted.
    Reply With Quote Quote  

  5. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #29
    No labs the last few days, just some work and Study. I went over RTBH and then did the CBTNuggets BGP/Route-Map and QOS modules (about 1/3 the BSCI and 1/2 the ONT courses). It clarified a few things for me but I'm going to read over the Doyle TCP IP Routing books aswell as the Troubleshooting TCP/IP Routing Protocols in the next few weeks. I guess when the Security lab is finally done I may aswell do the CCNP since I've prep'd a fair bit for it already . I've got a minimum of 2 back to back sessions per week now until the exam and the next round starts on thursday.
    Today will be more work on RTBH to keep it fresh in my mind and maybe the PIX/ASA Handbooks.
    Reply With Quote Quote  

  6. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #30
    The last few days were spent skimming over "CCIE Professional Development Routing TCP/IP, Volume I, Second Edition" . A very good book and one I guess pretty much everyone heading down any CCIE road has read, the only qualm I have is with the choice of Router names. 'When ChilliQueen is sending packets to PurplePlanetMongo via HyperDeathCheese.....'....well not quite but believe me the names are as odd, if not as fantastical. To me it's like word-noise just contributing to any mental static that is already getting in the way of absorbing the actual principals. Maybe it's just me, but it bugged the hell out of me after a while . It really helped my understanding of Route-maps and BGP (though the latter still needs work) both of which, as I guess I've made clear by now, are the biggest components that are central to the CCIE Sec that are not covered at all in the CCNA/CCSP. So if you take the same route as me be prepared for it to be quite a 'fun' hurdle.

    Today was a double / 11.5 hour sessions doing IWEB Lab 2 (Difficulty rating 6/10). It was a pretty good lab actually, a nice spread of technologies (Transparent firewall, Multiple contexts, VPNS between every class of device and plenty of AAA). I started an hour late as I didn't get setup until 6pm or so, night shifts are messing up my bodyclock too much.
    I ran into 2 major problems. The first was a management VPN from one router to the transparent ASA, the issue was that router already had a crypto map sourced from one of it's Ethernet interfaces from a previous step, what got me was the Peer IPs, I didn't use the sourced interface but the perimeter interface (facing the ASA). It wasn't hard to work out, the debugs on the ASA trew it up straight away but it annoys me I didn't work it out initially. The second I spent a lot of time on simply because it was so frustrating, another case of if it was the real thing I would have moved on after 10 mins but hammered at it probably for about 40 mins or so. It was a relatively simple Lan-Lan between 2 routers (with a PIX between them). Usually easy enough, I set the ESP/Iskamp ACEs on the outside-in ACL, then wrote the major part of the Isakmp/IPSec configs in notepad and pasted to both routers (so I know absolutely the policies/transforms etc. matched) but it would never complete phase1. I rewrote the policies, changed them to completely different but matching values, allowed all on the PIX, rebooted the routers. Nope. Debugs showed the ISAKMP policy was accepted and then nothing, no more debug output on the initiating router, and nothing useful on the 2nd (though it was showing the negotiations). I checked the solutions when I'd had enough and my config was perfect. It's still bothering me though if it was something I missed. I might try this one again next week if I have time.
    I made it through section 7 (out of 8 ), time spent (excluding breaks and the late start) was about 9.5 hours. the last 'level 6' I did took 9 hours to complete on the 2nd try, with only reaching section 4 on the first night so I'm getting faster....still not fast enough though.

    4 weeks to go.....I'm getting nervous enough it's already messing with my sleep . Normally exam jitters don't bother me, maybe a bit on the car trip to the testing center but nothing like this. We've sunk a most of our savings into this, with books/labs/equipment/bootcamp/exam+travel etc., that it's making me feel a bit guilty, what else could we have done with the money, hell in this economy it'd just be nice to have it in the bank...mebbe 'bank' is a bad idea . The wife is very supportive, there's no way I'd be at this stage without her, my first CCIE-earned paycheck goes on whatever she wants (okay being married, and honest, 'first' won't be the last ).
    Anyway enough babble . I'm off to play a but of Far Cry 2 and let the steam out of my wee noggin.
    Reply With Quote Quote  

  7. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #31
    Okay, IWEB Lab 4 (Difficulty 7/10) down...well mostly. The ACS (AAA) server was fubar, wouldn't respond to requests from anything on any protocol. But the CA and GUIs for the VPN3K and IPS were fine. I did what I could substituting local AAA instead but it was a pain in the ass so I skipped most of the dedicated Identity management section. With that out of the way the rest of this lab was pretty tough. A lot of NAT early on to get around problem areas, like moving a server from one subnet to another and not changing it's IP, then getting the nearby PIX to proxy-arp for it and it's still programmed default-gateway (which was now on the otherside of the PIX), or using it to 'move' one router close enough to the one it is supposed to peer with but has no direct route to etc. I thought I knew NAT really well, and for the main concepts I do, but this sort of 'trickery' killed me. Needs a lot of work. If I'd hit this one for real I'd have failed badly, probably in the 60's. The one good thing is I'm still getting faster at the core tasks. But I'll walk away from this one with my ego bruised and a long list of things i need to get a lot more detail on.

    Anyway, another 2 day back-back done and my brain is once more fried. Off to blow off some steam and then hit the books again tomorrow.
    Reply With Quote Quote  

  8. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #32
    Work reared it's ugly (yet cash-making) head again but I'm studying through Cisco Press' "CCIE Practical Studies : Security" at the moment, about halfway through. It's based on the 1.0 blueprint so you can't take it as gospel but it's got a very good review of the key Route/Switch (non-security) concepts you need for the Lab, actually a little too much I think since the older blueprint was more R&S focused anyway. I haven't gotten to the dedicated security appliance sections yet but just for this filtered R&S review it's well worth a read.
    Reply With Quote Quote  

  9. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #33
    Another few days closer to D-Day and not a whole lot to report. Had to work up my hours again to get the time to do today's and tomorrow's double lab sessions so I didn't get to study much. The more repetitive work I left IWEB's advanced technologies classes running in the background, I redid the Advanced AAA and IPS Sections though I couldn't concentrate on them enough to call it proper study I'm hoping at least something will sink in subliminally....yes I am getting that desperate .
    So today was IWEB Security Workbook Vol II - Lab 6 (Difficulty 7/10) . This was a very good lab imho, influenced in part (okay a lot) by the fact I did much better on it than last week's 7/10. It was very VPN heavy and this time I was prepared for the tricky NAT mazes in the way and had no problems with any intervening devices/filters. There was one WebVPN section but being on the VPN3K it was pretty intuitive - I still dread seeing it on the PIX/ASA though, their WebVPN setup via CLI is a convoluted mess that definitely looks as if it was designed with the GUI in mind first and the CLI was an afterthought. Still I'll have to practice that on my own if the next few labs don't tackle it, if even just to get used to using the Docs quickly for it's configuration. I've gotten the hang of sourcing Crypto maps from internal interfaces (i.e. away from the physical interface(s) to which the maps are applied) and how this affects NAT etc. so that was one nasty hurdle from last week's lab that became a minor speedbump from the experience. The IPS Section was as usual pretty straightforward, no IOS IPS which kept it simple. This one definitely kept you on your toes as regards intervening filters, one point on the network had an opposing CBAC firewall and a Transparent ASA so forgetting that nice little potential black hole was a no-no with VPNs flying left right and center. That and the PIX with it's multitude of inside and outside NAT types were the real core of this one, the tasks themselves weren't too complex but making them work when traversing these devices was.
    My Attack Mitigation has improve too, though it still needs work I'm getting a better feel for where certain commands should be even if I don't know their details offhand.

    Speed has greatly improved too. Today's lab minus breaks took just under 8 hours...yes finally I did one in the official time allotted . 'Course that didn't leave me time to actually check it but I was doing that per section with the solution guide anyway (when the outright results weren't easy to check).

    Overall I was very happy with today's. Which is odd as I expected things to be a lot tougher - my lab-induced insomnia is getting worse so I had about 3 hours sleep today before heading into this. Where would IT be without caffeine (and that rather nice Mocha Almond coffee creamer from International Delight, seriously it's brownie in a cup with a kick ). Anyway I know the sleep thing will hit me tomorrow so it's a good thing I finished early tonight.

    Tomorrow will be Lab 8, another 7/10 - only one more of those left after it and then it's time to move up again. I've enough sessions booked now to finish the workbook and have one double left over for revision so my schedule is set for the next 3 weeks.....3 weeks....damnit wide awake again
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #34
    keep it up man
    Reply With Quote Quote  

  11. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #35
    Thanks, how are things going on your side? December isn't it?

    Tonight was IWEB Lab 8, - 7/10 and it was a lot tougher than last night's. VPNs everywhere....E V E R Y W H E R E....coming over the hills, throught he trees *wide eyed crazed war vet look* . Seriously though besides in intensive VPN dedicated section (multiple LAN-LAN, L2TP Remote Access, Dynamic lan-lan, QOS for VPN) some of the other sections snuck them in aswell (like eventually having to use one to enable the AAA/IDM/Syslog server to access the IPS in order to bypass some previous NAT shenanigans). My network diagram now looks like a dali-esque painting of spaghetti. I'd say about 3/4 of it was okay but I was majorly stumped on the other 25%, just things I have never even tried like SNMP V3 user rights within the MIB tree and switch resource optimization - about half of that was either intuitive or could be easily found in the Docs but that last 1/8th or so would have just been a complete blackhole for me in the real thing. 12% down the drain before even checking what I had already done. Not good.
    I really need to bone up on L2TP, it's not that hard but I've never configured it outside of a lab and there are a few little gotchas like remember it's control port on your ACL if you are required to remove Sysopt permissions and manually filter vpn traffic.
    There were some issues with the initial configs aswell. One core router's interface's setup was completely FUBAR'd which messed up the routing table further down the line. One of the BB routers was supposed to peer via OSPF with the PIX but it wasn't setup for it (correct config on the PIX, the BB could be pinged and OSPF debugs showed hellos from the other neighbor but nothing from the BB). Also a couple of nasty errors in the actual tasklist (wrong VLAN numbers and IPs). None of which were earth shattering or hard to find and fix but it's a distraction I don't need, esp when I have to start second guessing myself for doubting the text and spend time researching why it might be right when in fact yes, as good old Occam's razor would prove, it was just a typo.

    Anyway as usual after a 2 day Lab bender I need to go dip my head in a bucket of Ice. More study over the weekend....Next session is on Tuesday.
    Reply With Quote Quote  

  12. Senior Member gojericho0's Avatar
    Join Date
    May 2004
    Posts
    1,061

    Certifications
    A+, Security+ Network+, MCSA:S 2003, CCNA
    #36
    Just started reading this blog. Awesome work so far Ahriakin...keep it up!
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Jun 2005
    Posts
    173

    Certifications
    CCNA,CCSP,CCIE Sec Written
    #37
    Yes December 5

    I'm doing some IPS stuff, vlan pairing etc, some DMVPN/GRE tests, aaa troubleshooting and keep studying studying and studying.

    You know how it is :P
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Dec 2006
    Location
    Ontario
    Posts
    1,092
    #38
    Sounds like it is coming along well Do you have some time off from work before your lab?
    Reply With Quote Quote  

  15. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #39
    Not too much of a problem as I work part time now. When we relocated away from the company Datacenter I was set to quit but they asked if I'd stay on part-time until they found a replacement, which suited me fine as it covered our bills while I had more time to study. 7 months later and they're talking about finally doing some interviews for my old job this month. So, unless there's an emergency my hours are very flexible so long as I do at least 20 hours (usually it's more, up until the bootcamp in sept. I was working close to 40 anyway but had to cut back getting closer to the Lab). For this stage of the trek it's working out pretty well, so I'll take the week off before the exam. I think management know that if it's a choice between work and the CCIE they lose, but to be fair my direct manager is a decent guy and doesn't push me on my schedule anyway unless it's important.

    The last few days have been study between work hours. I finished off the CCIE Practical Studies book (very good imho except having to pretty much skip the PIX sections as they are all 6.3 centric). I've also been running the IPexpert Audio CD Bootcamp and DVD class in the background while I work, again it's not exactly intense study but ya never know what will sink in.
    The next lab sessions is tonight. Since I'm normally on nights to match the wife's work schedule all of my sessions start at 5pm CST through to 4:30 am but I ended up waking up this morning at 8am and couldn't get back to sleep sssssooooooo it's going to be a LONG night with lots of coffee. But it can't be helped.
    Reply With Quote Quote  

  16. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #40
    I caved. 6 hours in and the lack of sleep has gotten to me. I went as far as section 6 and will do the last few sections on paper tomorrow...shoot me.
    Up until now the lab was going really well, a good blend of Lan-Lan VPN, Remote Access VPN (Router as an EZVPN client) DMVPN some CBAC and mixed ACL types on the routers and a nice lump of NAT sitting in front of the ACS server. The VPNs I don't really have any trouble with (besides some syntax errors on the DMVPN but they were easy enough to spot during troubleshooting) and this time I flew through the NAT sections and for once didn't get lost trying to remember them when configuring other tasks that passed through it (yes it has finally clicked...or this one was easy...probably a bit of both). The AAA section had a few interesting tasks but some badly worded questions, unless they were deliberately 'trick' questions, for example one wanted to automaticaly authorize certain users on the PIX to priv. 15, easy enough by just setting it in their profile's Tacac section but it also dictated that they had to reach 15 with different enable passwords...er....okaayyy....I didn't see why it was necessary but still tried to find a way to force them to use dif. enable passwords, even though they were already at 15. I configured different enable passwords and levels but nope, couldn't force their use with an autocommand. The solution mentioned nothing about the enable password clause and just went with my first thought of using the priv-level assignment straight from Tacacs.
    Anyway, still a few little mistakes along the way so I still need to work on being extremely detail oriented, 'close' won't cut it - if I give the impression here sometimes that I am 'passing' all of these it's not the case, I judge it to be a good lab if I rarely had to use the Docs or solutions and knew the concepts behind the majority of tasks, I am rushing them a bit and do make mistakes that would cost me points. Speedwise until the tiredness just became too much I flew through this one, though that could just be from getting used to the format, I'm getting more confident at zipping ahead and doing standalone sections while I wait for reboots etc. which definitely helps.

    Tomorrow will be the first 8/10....
    Reply With Quote Quote  

  17. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #41
    Not much study today after all. We wiped our old Nagios server on monday and replaced it with OpsView (which I highly recommend btw, it's still Nagios based but vastly improves on it's weaknesses with an excellent wrapper and improved Web console). Anyway I'm busy rebuilding it's inventory. It can import your existing Nagios configs but only if they are configured in a manner similar to Opsview itself, e.g. I wasn't very organised in how I created groups when first setting Nagios up, it all worked fine but some group members were defined in the group definitions some from the host definitions etc. which wouldn't really work so I figured I'd just start from scratch now that I understand the pitfalls a bit better. So most of the last few days and the rest of tonight will be spent adding devices and services to it. Again I'm keeping CBTs running in the background though. Right now I'm going through the IWEB Advanced Technologies class again.
    I've also started reading "Cisco Router Firewall Security" by Richard Deal for when I take a 'break' . Onward to my first brain aneurism!.... (em, Fate? That's not a request)
    Reply With Quote Quote  

  18. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #42
    AAAAAAAAAAAAAAAAAAAAAGGGGGGGGGGGGGGGGGGGHHHHHHHHHH HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH H

    Anger

    The 2 ASA ETH0/0 cables not being physically connected (though support did fix that quickly) and a couple of nasty mistakes in the lab itself were annoying but it all got trumped by my Rack completely freezing 20 mins ago. I've cleared lines and ultimately power cycled the whole thing (knowing that I would lose a good bit of the VPN module in the process) and nothing. I just sent off a ticket to their support again but it's too late to try getting back into this.

    This was Lab-3 and 8/10 and I was actually doing better than I expected on it, which pisses me off even more !...Okay will try to calm down a bit. This one had a fairly extensive initial setup, this section is usually a 15 pointer but on this lab was 21 as there was a lot of routing setup and authentication to be done. It was finished off with a notice that there were 2 deliberate errors in the setup and you had to find and correct them. 2 Were obvious from the Diagram, the VPN3K would block a crucial BGP peering so you had to create rules to allow it and assign them to the Public filter and then another right in the corner as the IPS was inline between 2 VLANs. The funny thing is the IPS was not number 2 according to the solutions, it was an OSPF authentication mismatch between the 2 routers either side of it. em...nah. Normally you'd pick this up easily enough by checking the route tables at key points, isolating where the blackhole is and running debugs on the routing protocols between them, which is what I did anyway which of course yields no results as there is no traffic going between the 2 routers to debug! So I was right, the IPS was the real 2nd phantom problem and the auth a distant 3rd. The IPS section was 4 modules away but I skipped ahead and finished configuring it anyway then went back and repaired the authentication on the 2 routers. Now you'd think that if this was the intent it was a good test, but it wasn't, the task specifically stated 2 errors and the solution list completely ignored the IPS. I'm guessing the IPS was put in there near the end of their planning for this one anyway it was still good troubleshooting practice and wouldn't have pissed me off if I hadn't earlier had to deal with the 2 ASA outside interfaces being physically disconnected and later found the setup to one of the BBs was hosed, it was dead to the world so I had to skip sections involving it (simple stuff like NTP that wasn't a big deal but it didn't help my mood).
    The rest of the lab was tough but in a good way. No one area was overloaded so there was a good balance of Routing/Nat/VPNs and all that good filtering fun in between. The only major hickup was with a Certificate auth'd Lan-Lan VPN between the 2 ASAs through the VPN3K. Everything went fine until I hit the stipulation that you had to use the hostnames in the tunnel-groups, I hadn't done that before but configured each peer as a 'name'd host and used that name for the tunnel group....nope....it should have been the FQDN...which I guess was kinda obvious. I'll just have to chalk that one up to experience but it's easy enough to remember in future.
    My DMVPN is nearly perfect now, I checked the Docs but mainly just for verification before applying the settings. Big improvement in understanding when to use NAT vs. routing to bridge some gaps, it was a major problem for me before.

    I just checked and the rack is responsive again. 30 mins now, most of my VPN setup and my patience are gone so I'm not going back to it.
    I have one session more than I need to complete the workbook before the lab so I'll probably just go back to this one in a week or so.

    Studywise I'm working through Richard Deal's "Cisco Router Firewall Security", I love his books. Just the right amount of information and a great layout - there's always a detailed example at the end of each chapter so if it's a topic you understand and just want to refresh your config knowledge you just skip to the end. It's nice having that flexibility.
    Reply With Quote Quote  

  19. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #43
    I thought I should add after so much complaining last night that the rack vendor's support is very good. The few times I've had to use them they have been very prompt and always resolved the issue. It was just an unlucky night and I was already too tired to put in as much effort as I should have.
    Tonight is more reading and I might start redoing the smaller technology labs from the IPexpert workbook. I also plan to create a BlackHole Filtering lab this weekend.
    Reply With Quote Quote  

  20. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #44
    Hopefully later I can compile a more comprehensive list of Web resources but I'll start today by updating the initial posts with links to useful sites/blogs/technotes etc. First up is IWEB's security Blog, some great little nuggets of info.

    http://blog.internetworkexpert.com/c...ccie-security/
    Reply With Quote Quote  

  21. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #45
    I'm about 2/3 through "Cisco Router Firewall Security" and it's superb. Pretty much everything that I had no clue about on the router sections of the test-labs is in here. I originally had it on the shelf as an if-I-had-time read which is why I'm only getting to it now, but I'd rate it as an absolute essential, esp. if you have less of a background with Router security as I do. Another gold star for Mr. Deal.
    I've been sitting on our balcony reading it since lunchtime, watched the sun go down and figured it was time for a break . So off to explore Far Cry 2's pretty (if a little boring) world and then back to try and finish this one tonight.
    Reply With Quote Quote  

  22. Senior Member Turgon's Avatar
    Join Date
    Apr 2007
    Location
    Great Britain
    Posts
    6,250

    Certifications
    CCIE counter..993 Lab Hours.... 532 Reading.
    #46
    Quote Originally Posted by Ahriakin
    I'm about 2/3 through "Cisco Router Firewall Security" and it's superb. Pretty much everything that I had no clue about on the router sections of the test-labs is in here. I originally had it on the shelf as an if-I-had-time read which is why I'm only getting to it now, but I'd rate it as an absolute essential, esp. if you have less of a background with Router security as I do. Another gold star for Mr. Deal.
    I've been sitting on our balcony reading it since lunchtime, watched the sun go down and figured it was time for a break . So off to explore Far Cry 2's pretty (if a little boring) world and then back to try and finish this one tonight.
    There's some good Cisco Press stuff out there that does tend to sit on a shelf these days. A lot of folks put store in Vendor materials and put off reading these books. For my part I have found both Solie and Duggan's Cisco Press books very useful indeed. Sales of these books are down as the vendors market more and more materials. I have to say though that having used both Vendor material and these books they do fill in gaps and explain essential things sometime in a much better way. It's a shame more candidates put off this kind of reading these days because I think they are missing out on some great clarification opportunites even though both the Solie and Duggan books do cover some topics that are now off the lab blueprint. What remains is still very informative. I have worked examples from both books on my homerack and it's certainly helped my understanding.
    Reply With Quote Quote  

  23. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #47
    Aye, any reference is only as good to you as your ability to absorb the knowledge, so writing style and presentation are almost as much of a factor as the data. Obviously knowing the official Doc.s is essential for the lab, besides the less common topics they cover they're our only reference material to hand, but they are usually very dry and imho are not a good initial source of learning. I prefer a good 3rd party book first and then do a scan of the doc.s to fill in the blanks. I've read 2 or Richard's books now (the Router Firewall and VPN Guides) and both are on my desert-island list....what use you'd have for Cisco manuals on an island I don't know but mebbe it'll impress the natives.
    Reply With Quote Quote  

  24. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #48
    Finished the Router Firewall Security book and did a little from "Troubleshooting Virtual Private Networks" also again working my way through the IPExpert Audio CDs while getting some work hours in.
    Today I'm restarting the IPExpert Workbook, mini-labs. I have 1-7 already setup for my Dynamips lab, and will do up no. 11 in a min. too. I've booked 2 sessions with them for tomorrow night 11am-6am and the same for Friday night to work on the others and fill some gaps. They range from 1-4 hours, most averaging 2-3hrs so they're good fillers.
    I have Full (double) IWEB lab sessions on Wed, Thurs and Sunday and then I'm done. If I need more full lab time by then I don't need to be sitting this exam....brave words 9 days out

    At this stage I'm comfortable with the VPN3K and IPS, they're done and dusted. My PIX/ASA has improved but there are a few little things I need to go over. VPN between any of the devices I have down pat, but will need the Docs for some like EZVPN on IOS, WebVPN and a little on DMVPN for verification, I've accepted this and won't focus on the syntax much more. My NAT knowledge is good for the main functions and getting better on some outside trickery for forcing proxy arp for non-standard addresses etc. but it still needs work. Attack mitigation is much better but I need to do a bit more on little things like fragmentation udner IOS and the logging side like intervals and the various options for timestamping etc. NAC, now there is an enigma. It's on the blueprint but it's barely touched in the Labs I have and I've been told that it is so time exhaustive that it just can't be realistically tested at the main event. In any case one of the IPexpert labs focuses on it heavily so I'll give it a go this week.
    So confidence level just over a week out? Well I'm sleeping better but obviously I have no way to accurately gauge my readiness until I actually sit one so I'm trying not to make assumptions about it. All I know is the last few months have tremendously improved my knowledge which is great in itself, I just don't know if it will be enough.
    Reply With Quote Quote  

  25. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #49
    Okey dokelarooney neighbor. IPexpert Lab 11 was fairly straightforward. Essentially it was about configuring application services like NTP, DHCP etc. so not too hard at all. I did get caught on the core-dump config and the RCP copy commands though. I couldn't for the life of me remember the IOS start command and kept trying to find Crashinfo command references (PIX/ASA) instead. It's "exception" in case you're curious . One thing I find very annoying is not being able to find this information by navigating the new Cisco Docs layout but it is there if you google, the URLs don't even make enough sense for you to backtrack and find them manually that way for future reference. I mean I can find the doc. through a web search, look at it's title, know where it should be in the navigation tree and then find it's not there. Great.

    I just finished redoing Lab 1 again too. This is a very good ACL primer. 5 Routers and a simple mix of RIP, EIGRP and OSPF on the different segments. It runs through normal, using Established, Lock and Key and Reflexive ACLs aswell as CBAC. Probably the single best lab I've seen so far in this workbook as far as topic coverage and quality/simplicity of design. I messed up the timeouts on the Lock And Key section but otherwise it worked. No use of the docs except correcting those timeouts which is a big improvement over the first time I did this one in Sept.

    I'm going to take a break and then hopefully do another IPexpert mini lab.
    Reply With Quote Quote  

  26. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #50
    IPExpert Lab 2 redone. "Network Attacks and Advanced Filtering" . A decent enough little lab using Policy Based Routing, Mac and Vlan filters, TCP Intercept, NBAR Filtering and some miscellaneous attack mitigation. Not the best written lab in the book as a few of the tasks that should be under one point are out on their own, making the order of configuration a bit confusing. Also my Dynamips image is 12.4 and doesn't include TCP Intercept anymore, so I did the tasks using CBAC instead, the syntax is very similar once you remember to just use "ip tcp intercept xxxxx" instead of "ip inspect xxxxxx". Ditto for the PBR section where you would normally set the interface to Null0, this isn't supported on this image so I did it a little differently to the solution guide, basically borrowing a step from Remote Triggered Blackhole Routing, I set it's next hop to 192.0.2.0/24 under the Route-map and set a static route to that subnet via Null0. Just an extra step for the same result.
    Enough for today methinks.
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 10 First 12 3456 ... Last

Social Networking & Bookmarks