Posts Tagged ‘blueprint’

May
11

As most candidates preparing for the CCIE hopefully know by now, a blueprint change is coming for the CCIE R&S Lab in October 2009, which includes the new addition of MPLS. Tomorrow I will be teaching a free vSeminar entitled Introduction to MPLS for CCIE R&S Candidates at 11am PDT (GMT -8). Anyone interested is welcome to attend. Registration information is available at http://www.ine.com/free_ccie_vseminar.htm. If you are interested, but unable to attend, the session will be available in Class-on-Demand format shortly following its completion.

Class duration will be about two hours, and will focus on what will, and also importantly – what will not, be within the scope of MPLS topics for the new exam blueprint. Both theory and implementation will be covered. No previous knowledge of MPLS is required to attend.

Good luck in your continued preparation!

Tags: , , , , ,

Mar
21

Hi, Everyone!

We are in the progress of upgrading our CCIE Security racks with the new software and hardware. Here are the specs that you can use to build your own rack. The rack consists of six routers, two switches, two ASA firewall appliances and one IPS sensor. The hardware models and their specs are outlined below:

R1-R5: 2611XM 32/128, IOS 12.4(15)T ADVANCED SECURITY
R6: 2811 64/256, IOS 12.4(24)T ADVANCED ENTERPRISE SERVICES
SW1-SW2: CAT3550, IOS 12.2(50)SEE
IPS: Cisco IPS 4235 or 4240, SW version 6.0(3)E1
ASA1-ASA2: Cisco ASA 5510, SW version 8.0
AAA/CA Server: Win 2k running CS ACS 4.0 and IPS Manager Express.
Test PC: Win XP workstation with ezVPN Client Installed.

You can find a more detailed topology description at IE’s Security Hardware List

All the hardware cabling remains the same and the backbone routers did not change. If you compare this to our current hardware blueprint, you will see that only R6 needs to be replaced with an ISR router. Optionally, instead of 2811 you can use another ISR such as 1841 64/192 for R6. If you are using the Dynamips emulator for you virtual CCIE rack, you can use 3725 model for SSL VPN, for instance. Simply put, you just need any router that supports SSL VPN and other ADVANCED ENTERPRISE features. As for the GET VPN feature – even though Cisco FN does not list it as being supported by 2611XM routers, it is still present in the ADV. SECURITY feature set. Surprisingly enough, ADVANCED ENTERPRISE SERVICES image for 2611XM does not support the feature :)

Now for the IPS appliance: the latest software version for the IPS is 6.2 and it does not support older 4235 or 4215 IPS sensors (nor does version 6.1). Instead the blueprint suggests using the newer 4240 model. However, if you look at the release notes for IPS SW 6.2 and 6.1 you will note the following tow major new features:

a) IPS management via IPS Manager Express
b) IPv6 support

Other updates are minor, including some cosmetic changes such as health monitoring, customizable dashboards, uauthenticated NTP etc. Of course, you can still configure the IPS using IDM (IPS Device Manager) or the CLI and use IMX for appliance monitoring. As for IPv6, it is not the part of the current blueprint; plus the blueprint specifies IPS version 6.1 which does not support IPv6. Therefore, until they announced IPv6 as being testing in the CCIE Security blueprint, you may freely hang with the older IPS models and save on buying the more expensive 4240. Even better, the older 4215 appliance could be emulated on VMware! Note, that you will see the older 4235 models for some more time in our racks, but they are going to be gradually replaced with the newer 4240 models. The labs will still rely on the 6.0 code.

As for the switches – right now we use the 3550s in the racks, but those will be gradually replaced with 3560s. The CCIE hardware blueprint states the use of 3560 and 3750 switches in the lab. If you compare the 3560 model against 3550, you will see the following major differences: different QoS features, IPv6 support in the 3560 and no Private VLANs in the 3550 (even though the FN states they are supported there, sigh). Everything else is virtually the same. While QoS and IPv6 are not very important from the standpoint of the Security exam, Private VLANs are. However, if you look at the CCIE lab exam blueprint, you will see that Private VLANs are not listed there. Based on that, you can stick with the 3550s switches for 99% of the Security features tested in the CCIE lab.

Also, until April 20th you will see the PIX and the VPN3k appliances in our racks. So even if you are still pursuing the old-blueprint exam, you can use the rental racks, as most features are upwards compatible with the updated software. And get ready for the upcoming initial update of our IEWB-SC VOL1 next week – 50+ technology-focused scenarios for the ASA firewall appliance.

Good luck with your studies!

Tags: , , , , ,

Jan
31

In this post we will give a brief overview of the upgrade path from CCIE Security v2.0 blueprint to v3.0. First off all, let’s start with the good news to everyone who was preparing using the old blueprint: most of things you have learned are incorporated smoothly in the new blueprint. Basically, the only thing to forget is your VPN3k configuration skills :) Everything else either remains the same or experiences an “incremental update”, like LAN-to-LAN VPNs with IPsec VTI interfaces. Let’s quickly review the changes made to the hardware and how they could potentially affect you.

  • Removal of the PIX and VPN3k devices, which is natural as both are EOL and EOS. Therefore, forget all about VPN3k menu system and enjoy the simpler topology without the PIX ;) However, to some people, getting a PIX is more affordable than getting an ASA. In this case, remember that the latest software release supported by the PIX is 8.0(4) (not the 8.1) and you cannot configure SSL VPN on PIX. Still, you can practice almost 90% of all the firewall features using the PIX.
  • Change from the Catalyst 3550 to 3560 models. From the security features standpoint, nothing has seriously changed. You can even continue using the older 3550 model, as they are probably cheaper to get nowadays.
  • The so much awaited upgrade from IOS 12.2T to IOS 12.4T. First of all, this might require a change in the hardware platforms you are using. If you were using non-ISR or non-2600XM routers, you will need to change the hardware platform to at least 2600XM with full flash/RAM memory (to run the Advanced Security feat. set) or the 1841 ISRs. Note that using Dynamips you can play with all 12.4T features without getting your hands around any real gear. Secondly, 12.4T introduces a ton of new features, as compared to the dusty 12.2T. However, it’s not that scary as it might look like. Most of the new security features relate to IOS PKI, some AAA enhancements, bunch of advanced VPN topics and infrastructure security. Probably, all the most notable features are VPN/Firewall related: IPsec VTI, WebVPN/SSL VPN support in IOS, DMVPN Phase3, GET VPN; Zone-Based and Transparent firewall, CBAC enhancements. Later in this document we will see those features detailed as the upgrade list of the new SC VOL1 labs.
  • ASA software upgrade from 7.x to 8.x. While is a major version jump, it does not imply the huger change in the CLI as it was with the upgrade from 6.x to 7.x. There is quite a bunch of new features in 8.x code (you will see the list later) but most of them are minor ones. Most likely you will enjoy things like Dynamic Access Policies, LDAP Authentication and Authorization, Secure Desktop Enhancements, EIGRP Support (who needs that?:), Transparent Firewall NAT and Traffic Shaping. However, if you are solid with the code version 7.x you wont face big problems mastering the new topics.
  • IPS software upgrade from 5.1 to 6.1 and the platform change to 4240. The catch here is that IPS v6.1 does not support many older IDS/IPS appliances, such as 4215 or 4235 and getting a 4240 might be expensive. However, there is some good news still. The CLI has not changed as much as it did with the 4.x to 5.1 upgrade, and all your 5.1 knowledge remains valid and up to date. The most notable new features are Virtual Sensors, Anomaly Detection, Threat Rating and the new IPS Manager Express. If you are OK with doing all your configurations via CLI, you can stick with IPS v6.0 which you could run on the older platforms (4215, 4235) as there are just minor differences between 6.0 and 6.1 (mostly related to IPS Manager Express). Probably the best news is that the old 4215 platform could be successfully emulated in VMware.

Now, let’s look at the v2.0 to v3.0 upgrade path that you can take with out products. Below is the list of the VOL1 technology labs. You can see the outdated topics being deleted and the new topics (which are being developed) highlighted. Naturally, many older labs remain perfectly valid for the new track, and you can continue practicing them while waiting for the upgrade being released. We also decided to keep the NAC labs, even though NAC is not on the current blueprint, mostly because it gives you a perfect scenario for advanced ACS configuration. Of course, if you own our current v2.0 products, you will receive the v3.0 updates free of charge.

Continue Reading

Tags: , , , , ,

Jan
13

Bookmark this page and check back often for updates! As you can see it is very much a work in progress, but I will be making updates.

I. Implement secure networks using Cisco ASA Firewalls

A. Perform basic firewall Initialization

Continue Reading

Tags: , , , , ,

Jan
02

In this post I will try to summarize the things known so far about the CCDE written/practical exams and provide some (hopefully) useful tips and hint. Even though I didn’t receive my exam results yet, I think it’s still a good idea. At least, I’m still the person who “tried” and haven’t “failed” yet (at least unaware of that :)

The first question that people ask – would getting CCDA and CCDP help in achieving CCDE? That would help, a little. Most useful thing would be summarization your knowledge of IP Routing protocols and QoS topics. Plus, you can find some useful things in the new ARCH2 training course. However, I don’t think it is necessary to become a CCDP in order to get enough knowledge for taking CCDE.

Continue Reading

Tags: , , , , ,

Dec
04

The following is a detailed CCIE SP lab exam outline. The aim is to help people preparing for the respective exam in organizing their study and eliminating “white spaces” in their knowledge. In general, the ouline tries to follows the official lab blueprint as much as possible and covers the following topics in-depth:

  • Bridging & Switching
  • IGP Core Routing
  • BGP
  • MPLS
  • SP Multicast
  • L2/L3 VPNs
  • QoS
  • Security
  • High Availability
  • Management

Some of the sections may look too much detailed, especially the Bridging & Switching (particularly ATM technology) and maybe QoS and High Availability sections. You will probably want to spend most of your time on IGP, BGP, MPLS, L2/L3 VPN sections (the core of the SP lab) and slightly less on SP Multicast section.

Continue Reading

Tags: , ,

Dec
02

Below is the new CCIE Voice Lab Blueprint (version 3) that will be implemented mid-July 2009.

CCIE Voice Lab 3.0 Equipment and Software Versions

Passing the CCIE Voice Lab Exam requires a depth of understanding difficult to obtain without hands-on experience. Early in your preparation, you should arrange access to the equipment listed below:

Lab Equipment:

  • Cisco MCS-7845 Media Convergence Servers
  • Cisco 3825 Series Integrated Services Routers (ISR)
  • Cisco 2821 Series Integrated Services Routers (ISR)
  • ISR Modules and Interface Cards

+ VWIC2-1MFT-T1/E1
+ PVDM2
+ HWIC-4ESW-POE
+ NME-CUE

  • Cisco Catalyst 3750 Series Switches
  • IP Phones and Soft Clients

Software Versions

Any major software release which has been generally available for six months is eligible for testing in the CCIE Voice Lab Exam.

  • Cisco Unified Communications Manager 7.0
  • Cisco Unified Communications Manager Express 7.0
  • Cisco Unified Contact Center Express 7.0
  • Cisco Unified Presence 7.0
  • Cisco Unity Connection 7.0
  • All routers use IOS version 12.4T Train.
  • Cisco Catalyst 3750 Series Switches uses 12.2 Main Train

Network Interfaces

  • Fast Ethernet
  • Frame Relay

Telephony Interfaces

  • T1
  • E1

Tags: , , , , , ,

Nov
29

I expanded upon the awesome CCIE Lab Technology Outline found in the Resources section or our main Web Site. I am looking to add features to this list soon, and of course, please post any changes you feel I should make in our comments section. I plan on fixing the formatting as I add new features. Enjoy your studies.

I. Bridging and Switching

A. Frame Relay

I. L2/L3 Resolution – static vs dynamic
II. Broadcast/Multicast Support
III. LMI
IV. Full Mesh/Partial Mesh
V. Hub and Spoke using Point-to-Point
VI. Hub and Spoke using Multipoint
VII. SVC
VIII. PPP over Frame
IX. End to End Keepalives
X. Broadcast Queue
XI. Load Interval
XII. PING local interface
XIII. Multilink Frame Relay

B. PPP/HDLC Continue Reading

Tags: , , , ,

Oct
16

Hi gang. If you are a “tweener” like me as you are looking at this lab track, I thought you might like a list of the topics in the new blueprint that do not exist in the old. Also, notice that many topics that exist in both are being implemented on different equipment. For example, in the old you might do an SSL VPN on the concentrator, but now you would be limited to IOS or ASA.

Section II Cisco IOS Firewalls

B. Zone-Based Firewalls

Section III VPN

D. Group Encrypted Transport (GET) VPN
J. AnyConnect VPN

Section IV IPS

D. Virtual Sensors
E. Security Policies

Section V Identity Management

B. LDAP

Section VI Control Plane/Management Plan Security

A. Implement routing plane security features (protocol authentication, route filtering)
B. Configure Control Plane Policing
C. Configure CP protection and management protection
D. Configure broadcast control and switchport security
E. Configure additional CPU protection mechanisms (options drop, logging interval)
F. Disable unnecessary services
G. Control device access (Telnet, HTTP, SSH, Privilege levels)
H. Configure SNMP, Syslog, AAA, NTP
I. Configure service authentication (FTP, Telnet, HTTP, other)
J. Configure RADIUS and TACACS+ security protocols
K. Configure device management and security

Section VIII Network Attacks

B. Malicious IP Option Usage

Tags: , , , , ,

Oct
15

The long rumored Security CCIE Lab changes have finally been officially announced by Cisco.  The new version 3 hardware/software and blueprint will be implemented in mid-April 2009.  The good news is that there are not going to be any real changes to the hardware.  The new hardware and software is listed below:

Hardware

  • Cisco 3800 Series Integrated Services Routers (ISR)
  • Cisco 1800 Series Integrated Services Routers (ISR)
  • Cisco Catalyst 3560 Series Switches
  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco IPS Series 4200 Intrusion Prevention System sensors
  • Cisco Secure Access Control Server for Windows

Software

  • Cisco ISR Series running IOS Software Version 12.4T Advanced Enterprise Services feature set is used on all routers
  • Cisco Catalyst 3560 Series Switches running Cisco IOS Software Release 12.2(44)SE or above
  • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Version 8.x
  • Cisco IPS Software Release 6.1.x
  • Cisco VPN Client Software for Windows, Release 5.x
  • Cisco Secure ACS for Windows Version 4.1

New Version 3 Blueprint

  1. Implement secure networks using Cisco ASA Firewalls
    1. Perform basic firewall Initialization
    2. Configure device management
    3. Configure address translation (nat, global, static)
    4. Configure ACLs
    5. Configure IP routing
    6. Configure object groups
    7. Configure VLANs
    8. Configure filtering
    9. Configure failover
    10. Configure Layer 2 Transparent Firewall
    11. Configure security contexts (virtual firewall)
    12. Configure Modular Policy Framework
    13. Configure Application-Aware Inspection
    14. Configure high availability solutions
    15. Configure QoS policies
  2. Implement secure networks using Cisco IOS Firewalls
    1. Configure CBAC
    2. Configure Zone-Based Firewall
    3. Configure Audit
    4. Configure Auth Proxy
    5. Configure PAM
    6. Configure access control
    7. Configure performance tuning
    8. Configure advanced IOS Firewall features
  3. Implement secure networks using Cisco VPN solutions
    1. Configure IPsec LAN-to-LAN (IOS/ASA)
    2. Configure SSL VPN (IOS/ASA)
    3. Configure Dynamic Multipoint VPN (DMVPN)
    4. Configure Group Encrypted Transport (GET) VPN
    5. Configure Easy VPN (IOS/ASA)
    6. Configure CA (PKI)
    7. Configure Remote Access VPN
    8. Configure Cisco Unity Client
    9. Configure Clientless WebVPN
    10. Configure AnyConnect VPN
    11. Configure XAuth, Split-Tunnel, RRI, NAT-T
    12. Configure High Availability
    13. Configure QoS for VPN
    14. Configure GRE, mGRE
    15. Configure L2TP
    16. Configure advanced Cisco VPN features
  4. Configure Cisco IPS to mitigate network threats
    1. Configure IPS 4200 Series Sensor Appliance
    2. Initialize the Sensor Appliance
    3. Configure Sensor Appliance management
    4. Configure virtual Sensors on the Sensor Appliance
    5. Configure security policies
    6. Configure promiscuous and inline monitoring on the Sensor Appliance
    7. Configure and tune signatures on the Sensor Appliance
    8. Configure custom signatures on the Sensor Appliance
    9. Configure blocking on the Sensor Appliance
    10. Configure TCP resets on the Sensor Appliance
    11. Configure rate limiting on the Sensor Appliance
    12. Configure signature engines on the Sensor Appliance
    13. Use IDM to configure the Sensor Appliance
    14. Configure event action on the Sensor Appliance
    15. Configure event monitoring on the Sensor Appliance
    16. Configure advanced features on the Sensor Appliance
    17. Configure and tune Cisco IOS IPS
    18. Configure SPAN & RSPAN on Cisco switches
    19. jfdk
  5. Implement Identity Management
    1. Configure RADIUS and TACACS+ security protocols
    2. Configure LDAP
    3. Configure Cisco Secure ACS
    4. Configure certificate-based authentication
    5. Configure proxy authentication
    6. Configure 802.1x
    7. Configure advanced identity management features
    8. Configure Cisco NAC Framework
  6. Implement Control Plane and Management Plane Security
    1. Implement routing plane security features (protocol authentication, route filtering)
    2. Configure Control Plane Policing
    3. Configure CP protection and management protection
    4. Configure broadcast control and switchport security
    5. Configure additional CPU protection mechanisms (options drop, logging interval)
    6. Disable unnecessary services
    7. Control device access (Telnet, HTTP, SSH, Privilege levels)
    8. Configure SNMP, Syslog, AAA, NTP
    9. Configure service authentication (FTP, Telnet, HTTP, other)
    10. Configure RADIUS and TACACS+ security protocols
    11. Configure device management and security
  7. Configure Advanced Security
    1. Configure mitigation techniques to respond to network attacks
    2. Configure packet marking techniques
    3. Implement security RFCs (RFC1918/3330, RFC2827/3704)
    4. Configure Black Hole and Sink Hole solutions
    5. Configure RTBH filtering (Remote Triggered Black Hole)
    6. Configure Traffic Filtering using Access-Lists
    7. Configure IOS NAT
    8. Configure TCP Intercept
    9. Configure uRPF
    10. Configure CAR
    11. Configure NBAR
    12. Configure NetFlow
    13. Configure Anti-Spoofing solutions
    14. Configure Policing
    15. Capture and utilize packet captures
    16. Configure Transit Traffic Control and Congestion Management
    17. Configure Cisco Catalyst advanced security features
  8. Identify and Mitigate Network Attacks
    1. Identify and protect against fragmentation attacks
    2. Identify and protect against malicious IP option usage
    3. Identify and protect against network reconnaissance attacks
    4. Identify and protect against IP spoofing attacks
    5. Identify and protect against MAC spoofing attacks
    6. Identify and protect against ARP spoofing attacks
    7. Identify and protect against Denial of Service (DoS) attacks
    8. Identify and protect against Distributed Denial of Service (DDoS) attacks
    9. Identify and protect against Man-in-the-Middle (MiM) attacks
    10. Identify and protect against port redirection attacks
    11. Identify and protect against DHCP attacks
    12. Identify and protect against DNS attacks
    13. Identify and protect against Smurf attacks
    14. Identify and protect against SYN attacks
    15. Identify and protect against MAC Flooding attacks
    16. Identify and protect against VLAN hoping attacks
    17. Identify and protect against various Layer2 and Layer3 attacks

Tags: , , , ,

Categories

CCIE Bloggers