CCIE Security

After much thought I’ve decided to skip the CCNA Security/CCSP path and just go straight for CCIE Security. There’s a few reasons behind my decision and I thought I’d share them along with how I’m getting started.

1) Cost
The cost of sitting the CCNA Security exam plus the 4 exams for CCSP is $750 US. On top of that there’s the study material required for each one. Granted some of the books I buy for CCIE could be used for both, but I’d rather spend all that money on CCIE.

2) Time
I just cant be bothered doing 5 separate exams just to move on and do 2 more. I’m now fully aware of whats required to do a CCIE and what I’m getting myself into. It may be an advantage to work my way up if I thought that I might be in the market for a new job at some stage next year, but the fact is I wont be. In the end a CCIE is worth 10 times more than the associate and professional certs.

3) Content
Apart from the elective exams in CCSP, virtually everything you find in the lesser exams is part of the CCIE blueprint anyway. Also I dont really need or want to know how to set things up in the SDM (which is more of a focus in associate and professional) so I’m quite happy to skip those parts :)

4) Work
With my new job just around the corner I’m going to have access to a  plethora of mentors and e-learning tools that will no doubt be able to speed up the learning process for me.

——–

Strategy
I’m going to focus entirely on the 3.0 version of the blueprint and my first milestone is to sit the written exam once it changes in April. So really all I need to worry about at this stage is building a foundation of all the topics by doing plenty of reading. I’ll be updating my study material list at the top right of this page, but at the moment I have the following titles:

Network Security Technologies and Solutions (CCIE Professional Development) – Yusuf Bhaiji
Cisco ASA, PIX, and FWSM Firewall Handbook – David Huccaby
Cisco ASA – All-in-One Firewall, IPS, and VPN Adaptive Security Appliance – Jazib Frahim

Once I get a bit more cash I’ll invest in some class-on-demand videos too.

For the lab I’m not sure what vendor I’ll use. It’s most likely going to be InternetwWork Expert since they are now working on the 3.0 material and plan to have it released before the new exam kicks in. I’ll use Dynamips for random ASA and IOS stuff, but unless I get access to some real equipment with my new job I’ll settle with rack time for most of my lab preparation.

My goal is to sit and pass the lab by Q3 of next year, but we’ll wait and see. I’m not going to let this one rule my life for nine months :)

SNAF Topology in GNS3

After a bit of screwing around and reading about PEMU/VMware I managed to get my topology working as intended. GNS and virtual adapters don’t seem to like on the fly changes. The solution in the end was to configure all the adapters/IP’s etc, reboot the VMware host machine, then create the topology in GNS from scratch.

My laptop is directly connected to my Dynamips/GNS machine (running Vista) which is is bridged to the inside interface of the PIX. The Dynamips/GNS machine also runs a virtual instance of Windows 2003 server with Cisco ACS installed which is bridged to the DMZ interface of the PIX.

The PIX 525 is running release 8.0(4) with ASDM 6.1(3).

Apart from testing failover (which doesn’t really work properly in Dynamips) I can play with just about everything required for the first ASA exam (SNAF).

After about 10 solid hours of messing about and doing a shitload of reading I’m pretty comfortable with just about every topic. The next step is to do some labs from the Cisco Partner e-learning connection (PEC) and then book the exam as soon once I’ve done a solid review.

At the same time I’ve been studying for SNAF I’ve been going through the CCNA Security certification guide. I think for anyone that’s completed the ISCW exam from CCNP, providing you have a basic understanding of security copncepts I’d say you’re probably 3/4 of the way there to obtaining this cert. Definitely worth the effort imo…

Still here

Sorry, I’ve been a little slack with that second update on the lab. Reason? I’m studying again.

Since I arrive in the UK looking for work, I have always fallen short in one main area…..Security. Because of this I’ve only been considered for a handful of roles. Although I do have a lot of experience with Inspection, IPS, and IPSEC and general security on IOS based platforms, I don’t have very much experience with PIX and ASA products. Well I kinda do, but it was a fair while ago and it simply doesn’t hold up in an interview because I’d forgotten even some of the basic rules to their operation.

My goal after achieving IE status was to get up to speed with security platforms like the PIX and ASA again so that I can vastly improve my employment prospects.

After studying for about a week I started to get the bug again, and I’m at a crossroads….

I always thought that after getting my R&S that I would move on to Service Provider since I already have my CCIP and a lot of experience with MPLS VPN solutions. I was even thinking about buying the study material before finishing my first IE. But now I’m not so sure….

I’m now leaning towards an IE in Security but I think it’s more of a challenge and just generally more interesting to me.

So got myself a copy of David Huccaby’s Cisco ASA, PIX, and FWSM Firewall Handbook, and Cisco ASA – All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, which are accompanied by GNS3 with PEMU for some labbing.

At this stage I’m just going to take baby steps, but I think first up I’ll do three of the CCSP exams that make up the ASA specialist certification and see how we go from there. Starting with SNAF (Securing Network with ASA Foundation), then CCNA Security, followed by SNAA (Securing Networks with ASA Advanced).

—–

As far as work goes, I’ve been looking for a little over two weeks now and after a few tweaks of the resume, and submitting it to the right places I’m starting to generate some good interest. Let me tell you, having a CCIE on your resume definitely raises some eyebrows. Recruiters call you, not the other way around. So with any luck I’ll be employed before the week is out…

Funny

Man tries to pay bill with spider drawing

My experience with the lab

Leading Up
For the last few days of preparation before the day, my main goal was to get plenty of rest, adjust my body clock for an early start, and do as much review as possible without overdoing it. This meant no booze (at all!) for the last 5 days, getting to bed no later than 10pm, and getting up at about 8 o’clock.

For review, I went through the entire configuration documentation for the 3560 and 12.4 Mainline IOS. Not to the point of reading every single word though, just light skimming. Obviously at this stage I already knew what a lot of things did and where they could be found. But for some of the more little obscure things, I just read the introduction which tells you exactly what each technology is used for. Along with this I read the entire command reference for BGP, OSPF, EIGRP, RIP, and Multicast.

I also walked through the two practice labs in this digital shortcut from cisco press. I’d highly recommend this if you haven’t taken an assessor lab, just so you can get an idea as to how the questions are asked and solved. But don’t be shaken about by how difficult the two labs are, both of them (especially the first one) are off the mark.

Finally I read through all of Michael Zuo’s CCIE notes. These are great. Nothing too heavy, just a recap on a ton of things you can do with each technology, their nuances, and examples of when to use a particular technology for a particular question. You can definitely tell he studied with Internetwork Expert :)

As far as not overdoing it, I did short sessions of 1 or 2 hours for no more than 6 – 7 hours (total) a day. In between I’d just be watching TV or reading CCIE success stories for hints and inspiration.

One last thing worth mentioning. Exercise. For me it was crucial to my study as it helps me think properly and stay alert. Most importantly was in the last few days, without getting a 30 – 45 minute run in of a night, it was near impossible to sleep when I wanted to sleep. If I didnt do something physical,  I’d end up staying awake til 2am thinking about OSPF adjacency’s, BGP peerings, and VLANS that I forgot to create!!

The day before
On Thursday I woke up and didnt really do much at all. Just packed my things, had breakfast, watched TV and waited for my ride to the tube station that takes me to heathrow, my flight was at 2pm. On the flight I just listened to some relaxing tunes and skimmed through Michael Zuo’s notes.

At Brussels airport there was supposed to be a free shuttle service that runs to NH hotel. What’s stupid is that this doesnt run between 10am and 5:15pm. So instead of waiting an hour I got a taxi to the hotel which cost me 12 euro.

After I checking in, the hotel was nice btw, I walked out the front door, turned right, then turned right again….then turned right again, and walked up the hill to Cisco. The first building is 7B, that’s not the right one, but the receptionist was hot. You actually walk straight past it until you get to the next Cisco building that looks identical (6B). I went to the reception area and just confirmed that I was in the right place. The security guard said they start at 8am in the morning. It takes no time at all to get there.

With reconnaissance out of the way, I went back to the hotel and used the gym to go for a run before my dinner.

The hotel was pretty good, but it was also expensive. For 24 hours of private Internet access was like 20 euro, and downstairs the Internet was something like 35 cents a minute…Ripoff.

Meals weren’t cheap either, the average main was about 25 – 30 euro. I just went with the buffet and stuffed my face with all three courses (still cost me 30 euro though).

After dinner I just went back to my room, watched some TV and read over Michael’s notes until I was tired. I was in bed by 9pm and asleep by about 11. It wasn’t the greatest sleep though, I still woke up twice which then took me about 20 minutes each time to fall asleep again. But that was kind of expected….

The Lab
My alarm went off Friday morning at 5:45, I got dressed and and went downstairs for a 30 minute run before a shower and buffet breakfast which included all the usual kind of tasty stuff. After that I went back up to my room, packed my things, and headed downstairs to checkout. By 7:30 I was at the reception area of Cisco. I signed in and took a seat in the waiting area where there were about 8 other hopefuls. I just sat there and gathered my thoughts…

‘Wow’ I thought. Months of preparation for this one day where you need to be on your best game. If you fall short of the mark, you’ve lost a large wad of cash, without improving you’re chances of getting a job and having money before Christmas, which also means you have no idea when you’re going to be able to afford a second shot at the title. That was the way I looked at it anyway. Not to put any pressure on myself or anything….

Was I nervous? No. Excited? No. Anxious? Not really. To me it was just another day doing another lab. I’ll elaborate on this later.

At 7:50 we were greeted by Bruno (the proctor) who escorted us upstairs. He showed us where the facilities were, outlined the rules, start/finish times, and gave us a few small tips.

We started at 8:15. It took me 1 hour and 15 minutes before I started configuring ANYTHING. Which i’ll admit was a little slower than expected. In that time I did the following:

• Drew up a grid that included columns for: Task Number, core / easy questions, notes, whether I had done (configured) it, whether I had checked it, and point values.
• Read every question in the lab, even to the point of working out what the solution was, making a quick note on my notes column, and marking if it was a core question or easy question.
• Drew my L2 diagram, this was done in conjunction with reading the switching section.
• Drew my L3 diagram, this included DLCI’s so you dont have to reference the DLCI page anymore, and which routing protocols were running on which interfaces. Also done during my reading.
• Checked the initial configs and IP addresses.

After reading the exam I was very surprised at how short it was, and how easy it appeared to be when you compare it to the IE labs. But the difficulty part made me a little wary that I was maybe missing something….

I started with frame-relay, moved onto my core switching tasks, and then went straight into IGP. I took my time on each task, making sure I read the question twice and fully verified each one. Amongst them there were about 2 tasks that got me really thinking. For these I simply made a quick note, did something else, and by the time I came back I knew what the solution was. It’s like your mind is thinking about it even when you’re not concentrating on it.

With 30 minutes before lunch I had finished my IGP (apart from one task that wasn’t core related) and had full reachability withing the domain with my TCL scripts. The last half hour was spent picking up some quick points in various sections. Just before lunch, I saved and rebooted all my equipment.

Lunch was pretty ordinary. I played it safe with some chicken, chips, and a coke.

My initial plan at this stage was to use my lunch break for working through any really tough questions so that when I got back, I wouldn’t have waste much time on them….but I kinda forgot. I just sat quietly waiting for round 2!

It was 12:45, I had 4 hours to go and I was about 2/3 through the exam. I quickly checked that  reachability was still there and all my neighbors were up before doing the rest of the easy tasks.

After the quick easy ones BGP was next, nothing too difficult, but the Cisco way did throw me off a little bit in terms of how I was able to verify it. It may vary from lab to lab, so I’ll just say that you should clarify with the proctor how they grade it. But when he gave me the answer it left me with the impression they are all like that. Interesting…

Last up was multicast & QoS. The first QoS question was slightly tricky but only because of the wording. Reading it I started thinking, but what if this?? and what if that?? I asked the proctor and he could see why I was confused and simply said, “just do what it says”. Without dwelling on it anymore, I did my configuration and moved on to the next one. For this, all I’ll say is thank you Michael Zuo! Had I not read his notes I would never have figured this out in time.

With one question left from IGP, I decided that I wanted to secure all my other points. I grabbed a drink and started verifying every task word for word. During this I referenced my notes with the question and my solution to see if it matched and I hadn’t missed anything. This is where I started getting a little paranoid….

I think I changed two solutions to better suit the questions, and added extra configuration to another two to make entirely sure that I was definitely going to meet the requirements regardless of how strict they were going to be with the answers.

Its hard to explain, but when you see the questions you will notice all the key words that are just begging for a certain command to be used. Most of the time everything you needed to do was explicitly asked, but there were a couple of times where they do expect configuration even though its not directly specified. For these you should be able to reference the configuration guides, look at the table that explains each command (optional or not) and derive the complete and correct answere from that.

Verification took me 90 minutes which pretty much brought me to 15 minutes remaining. As I mentioned in the last post, I accidentally forgot about one question and my quick solution didn’t work, so I scrapped it. Finally I saved all my configs and begun the wait knowing that I gave it all I could.

CCIE #22671

What a relief! More to follow.

The waiting game…

My exam was on a Friday and I was hopeful that it would be graded by the states, but it looks like the proctor in Asia is the man for the job, so i’ll have to wait until Monday….

How did it go? I’d have to say “good”.

The lab exam is not near hard or as long compared to most of the Vol2 labs and the IE mock labs. Most of the questions are simple and straight to the point, but there are definitely some really tough questions in there that require you to know your shit.

I feel confident in the fact that I have done all that I could to prepare, and it was enough on the day to get my 80 marks. Since about 5pm yesterday I have been racking my brain to try and think which questions I could have answered wrong, which is kind of pointless until I get my result….but you seriously cant help it!

I definitely lost 3 points because I failed to answer one question. Silly thing was that I put it aside while I verified all the other tasks. While doing this, the solution came to me but I wanted to finish verifying my completed work. I made a note with the intention of coming back later. Probably spending 90 odd minutes checking everything, it wasnt until there were 10 mintes to go that I realised there was one question left. I implement what I would consider to be a pretty basic configuration but it just wasnt working as expected. Rather than risk it affecting something else that I dont have time to check, I removed the config and surrendered my 3 points.

Aside from that I answered every other question, with only 2 uncertainties. So with my 6 question limit , and one wrong with two maybes, I’d have to say that my chances of passing are more likely than unlikely.

I’ll say this though, if I dont pass i’ll seriously have no idea why – and if I need to go back, I will not be studying any differently.

I’ll do a little more of a writeup when I get my result….but for now its time to go out and get hammered! :)

2 days, 21 hours, 1 minute, and 30 seconds

Not long to go now. Starting to get a little nervous but overall I’m feeling good.

On Saturday I did IE’s mock lab 7 which was surprisingly graded about 8 hours later. I scored 61 which is actually a little less than what I thought I got, and it was because I screwed up some pretty basic stuff. Had I left one or two of the real difficult tasks I would have given myself time to run through every question again just to verify.

Once again the mock labs have proved to be a fantastic way of spotting your shortcomings, and with the real deal only 3 days away, I’m glad I did this one so close to the exam.

• The troubleshooting section was where it all begin. I found the first problem (switchport backup) and then found what I believed was the second problem (wrong IP address on connection to BB3). Apparently this wasnt even one of them! Anyway I moved on with the other tasks not realizing that SW3 and SW4’s loopbacks weren’t created.
• I lost three points in the VLAN section because I think I had VLAN 7 specified on SW2. The notes from the proctor said that it wasn’t compatible with task 2.5. Task 2.5 said that VLAN 7 shouldn’t be created on SW2.
• Task 2.4 was a real bitch. I just didnt know how to do it. Basically to get SW3 and R2 talking to BB2 (which were in different VLAN’s) you needed to configure some form of VLAN hopping. Initially I though that if I set BB2’s port to a trunk and configure VLAN 2 as the native VLAN then it would work. For starters it didnt work, and then I realized that its not really acting as an access port (breaking task 2.1). I left it and came back later settling with private VLAN’s, but it wasn’t right either. The actual solution involves using a spare inter-switch link between SW2 and SW3 and just mismatching the VLAN’s on either side.
• Task 2.5 had notes saying that VTP pruning doesn’t work in transparent mode which is entirely true. But I had to use transparent to implement the private VLAN’s, and then just manualy used pruning commands to make sure SW2 wasnt pruning the needed VLAN’s.

So in the troubleshooting and bridging section I lost a total of 10 points. Not a great start…

• I lost three points in OSPF 4.4 because SW3 and SW4 loopbacks weren’t accessible.
• I lost 3 points in task 4.5 here because my summary route was a /29 instead of a /28! Stupid.
• I lost 3 points in task 4.6 because my prefix list was a /24 instead of a /16. Once agian, stupid.
• Then again in task 5.2 my summary route was a /29 instead of a /28. FFS.

And where did all this stem from?! Getting flustered with not being able to solve the bridging section, wasting time on hard tasks, which in turn meant I could not check my work properly. But we aren’t finished yet!

• Task 7.3 IPv6. I have no idea what was going on here, a reasonably simple 6to4 tunneling scenario and it wouldn’t fucking work. I attempted it about 3 times with no luck. I even labbed it up at home and still dont knoe why it didnt work….
• Task 8.3 QoS. I’m a little peeved at getting this one wrong because I thought my solution was quite clever. The problem was that I didnt read the requirement properly, it said that the traffic was already marked.
• Task 9.1 (Local Authorization) wanted the user NOC to have access to all the snmp related commands. I missed the interface level snmp* commands.
• Traffic accounting wanted to know the ingress interface which meant that ‘ip accounting output-packets’ wasn’t valid. My initial thought was Netflow which is what I implemented in the end. But all they were asking for was ‘ip source-track’. The lesson here was that it was a DoS attack and I should have maybe gone to the security section in the DocCD for a little look first.
• WAN polling was all right except the documentation led me astray! You can set up thresholds and traps for IP SLA which sends them to the ’syslog’ trap. I didnt need to do this since there is an ‘rtr’ trap. I was looking for ’sla’.
• Last but not least was a menu system that used rsh to display the routing tables of the other routers. Do you think it would work?! Possibly the most frustrating task i’ve ever encountered, except for maybe the IPv6 tunneling one :). I even tried this on my dynamips setup and havent been able to get it working, it was crashing the rsh server router….

Although im a little annoyed with some of the things, this lab was rated a 10 and a score in the 60’s is still considered to be good. But the real thing will never be as hard as this.

It has changed my approach to the exam slightly, but overall I still know what I need to do.

IE Mock Lab 4

Well, not near as bad as I thought. My score was 80, but I did make a couple of silly errors that pissed me off a bit.

• I lost 3 points for task 2.1 in frame relay because it said that i’m only allowed to use one mapping statement on R1 to reach both R5 and R2. I did only use one mapping statement and thought that if I use point-to-multipoint in the IGP section then it meets the requirements. Nuh uh. What I should have done was used the static mapping on R1 to R2 (the other spoke) and then INARP would sort out the reachability to R5….tricky! I guess this teaches me that a tasks requirements has to be met by the task on its own. If only it worked the same way when it came to tasks breaking other tasks!!!
• I lost 2 points for task 2.5 because I didnt disable inverse arp on R6!!! Bah, even the solution guide doesnt say to do that!
• Task 3.1 was for PPP (3 points) and it said that R4 wasnt allowed to have its IP address assigned to the Serial interface. So I set up the remote router to assign the address using IPCP. What I didnt pay close attention to was the subnet mask, it HAD to be a /24 not /32. A multilink interface was required to solve this.
• Task 4.5 I lost 2 points because R4 had a specific route to reach R5’s loopback. I cant verify this now, but im not too surprised.
• Task 4.6 for 2 points was rather interesting, and I didn’t even do it for the reason that if I did, and it wasn’t correct I would risk losing my 4 (maybe 6 total) points in task 4.4. Heres my logic: The OSPF domain has area 0 spread everywhere making it discontiguious in multiple places. Task 4.4 says to fix all this up (implying virtual-links or tunnels) BUT it says “do not use tunnels to accomplish this task”. Fine, virtual-links it is. Then you come to 4.6 and it says that you need to make sure that OSPF connectivity is still maintained if the link between SW2 and R5 lose the link between each other (R4 is attached to SW2). Another requirement is that you are NOT allowed to enable OSPF on R4’s interface towards SW1.

  Now with my CCIE lab hat firmly on I thought to myself, if I use a tunnel here to connect R4’s area 0 back into the OSPF domain I’m essentially breaking the rules of 4.4. Then I thought…nah, maybe theres another way to do it. Weighing it up for about 5 minutes I thought, fuck this….there is only one other way to do it….but i’m not gonna risk it.

  I should have just trusted my instincts. Had there been a proctor available I wouldn’t have thought twice about badgering him on this kind of question.

• Next up after breezing through BGP, Multicast, and IPv6 was task 8.2 in QoS. For one measly point I didn’t structure my policy map correctly and therefore broke the task.
• Task 9.3 was a stupid mistake of knowing what I needed to do but just missing it, aaa authentication password-prompt was the command and although I did the username I somehow forgot the second part of it. Bugger.
• 10.1 was probably the most annoying loss of three points ever. And this kind of thing has got me more than once. I configured the TFTP server IP address for Rack1 not Rack 15!!!! I think that for the real lab i’ll be running the following command on all my devices before finishing – show run | inc X.1. where X is the major network number(’s) in the topology.
• Last up was 10.2 and it was an SNMP feature I hadnt heard of. snmp-server tftp-server-list enables the routers configuration to be downloaded by the management station. 3 points!

14 days left…

Already into the arse end of Thursday, only two weeks to go!

Since Monday I’ve gone through the switching and OSPF Volume I workbooks. As expected there wasn’t anything in there I was unfamiliar with or needed the documentation for.

I’ve also gone through Volume II labs 1 – 8, but instead of reading through the PDF’s I decided to watch the breakdown videos from start to finish. Basically I’d read the question, and then pause the video while I do the configuration in my head, and then unpause it to see if my solution was right. The advantage of these is that they are for real equipment, so they include the proper switching sections, plus Brian discusses other ways to solve the task. If there was anything I didn’t know how to locate in the documentation, or didn’t get right….I’d find, it and read up on it.

Then yesterday since I was having withdrawals from not doing mock labs I decided that I may aswell do them all before I sit my lab, so I booked in number mock #4. Glad I did too, I learnt a couple of things….mainly how much of an absolute pig it is!

I haven’t got my grade yet, but to be honest out of all the ones Ive done so far, this one had the most ambiguous requirements yet, so its hard to tell what I’ll get points for and what I wont.

It was heavy on OSPF, and mainly due to interpretation and not having a proctor, I probably spent too much time on trying to get it right when there were points to be rescued in all the other areas. Once I’d bit the bullet, I flew through the other sections and got everything done except one question. I had only 15 minutes left for a review that I managed to save 4 points (i think!).

The grade and comments will be interesting, because I have questions for the proctor already if he marks certain things wrong!! :)

Hopefully I get my marks tonight so I’ll post something tomorrow.