Hi everyone,

been quiet for a while, had to travel a lot last week. We have posted the updates to the IEWB-SC VOL1 “Hotfix” section:

IOS CA
IPS VLAN Groups and Virtual Sensor
IPS Event Summarization
IPS Event Processing
IPS Blocking and Rate-Limiting
IPS Application Inspection and Control
IPS META Engine
IPS Anomaly Detection
IOS IPS

and to IEWB-VO VOL1

SIP Phone Endpoints
Basic User Configuration
CUCM OS Users
Softkey Templates
Phone Button Templates
Common Phone Profile
Directory Number/Line Configuration
Partitions
Calling Search Spaces
Gateway - MGCP T1 PRI
Gateway - H.323
T1 CAS
Route Groups
Route Lists
Route Patterns
Local Route Group

As for R&S, we’re currently working on the new addition to VOL1, which outlines the troubleshooting process in general, defines strategies and provides troubleshooting examples. This is to be released the next month. In addition to that, we’re preparing separate troubleshooting labs to be delivered in addition to VOL2 scenarios. Those will use separate topologies and will use a trouble-ticket pool that we develop. As for technology updates, we’re hindering that a bit and giving more priority to the troubleshooting scenarios. Personally I believe that adding troubleshooting to the CCIE R&S lab is the most important change, as it affects the whole lab strategy

There were people asking for our new R&S rack topology. We delayed that announce, because the one we’re currently working with would probably be expensive for many people using their own racks. We’re looking for a ways to implement our workbooks on a hybrid, less expensive topology. But if you want to know what being used now – it’s 5×1841s for R1, R2, R4, R5 and R6 and one 2811 for R3. All cabling connections and switches remain unchanged. If you would pick up that topology, you wont miss anything (well maybe some money); but if you’re trying to minimize the upgrade expenses, we’ll do our best to make that possible.

Happy studying!

Hi Everyone,

just to keep you posted. We have another bunch of updates uploaded to our memebers area.

For R&S, there are two new IEWB-RS VOL2 labs (Lab11 & Lab12). Those two are basically re-worked versions of older VOL2 labs, better balanced and formatted to match the blueprint. For SC, there is new IEWB-SC VOL2 Lab4 (full-scale) packed with new features for you guys that need more challenge. In addition to that, there are new labs posted under IEWB-SC VOL1 “Hotfix” sections. Here is the full list of the labs currently in this section:

ASA Redundant Interface
ASA Enhanced Object Groups
Flexible Packet Matching
Zone Based Firewall
ZFW Rate Limiting
ZFW Application Inspection
Control Plane Protection (CPPr)
Remote Session Authentication using TACACS+
Exec Authorization using TACACS+
IOS Local Command Authorization
IOS Remote Command Authorization
Using RADIUS for Session Control
Classic IOS Transparent Firewall
ZFW-Based IOS Transparent Firewall
IOS IP Virtual Reassembly
IOS ACL Selection IP Option Drop

As for the Voice track, there is a fresh pack of new IEWB-VO VOL1 labs as well! See list of the new VOL1 labs below:

CUCM Navigation and GUI Interface
CUCM CLI Interface
Communications Manager Initialization
Verifying Database Replication
Date/Time Groups
CUCM DHCP
IOS DHCP
Phone Auto Registration
SIP Phone Endpoints

Happy labbing!

Flexible Packet Matching is a new feature that allows for granular packet inspection in Cisco IOS routers. Using FPM you can match any string, byte or even bit at any position in the IP (or theoretically non-IP) packet. This may greatly aid in identifying and blocking network attacks using static patterns found in the attack traffic. This feature has some limitation though.

a) First, it is completely stateless, e.g. does not track the state/history of the packet flow. Thus, FPM cannot discover dynamic protocol ports such as use by H.323 or FTP nor cannot it detect patterns split across multiple packets. Essentially, you are allowed to apply inspection per-packet basis only.

b) Additionally, you cannot apply FPM to the control-plane traffic, as the feature is implemented purely in CEF switching layer. Fragmented traffic is not assembled for matching, and the only inspected packet is the initial fragment of the IP packet flow.

c) IP packets with IP options are not matched by FPM as well, because they are punted to the route processor.

d) Lastly, this feature inspects only unicast packets and does not apply to MPLS encapsulated packets.

Configuring an FPM filter consists of a few steps.

(1) Loading protocol headers.
(2) Defining a protocol stack.
(3) Defining a traffic filter.
(4) Applying the policy & Verifying

Let’s look at every of these steps in depth.

Read the rest of this entry »

Hi everybody,

Real quick, a short overview of our recent updates

Security:

new “Hotfix” section posted to VOL1 v5.0 area. This new section is designed to cover the recent addition to CCIE SC blueprint. So far it’s just about 50 pages, but we’re going to update it constantly until we cover all “hot” topics. Check it out for some new ASA features, IOS FPM, ZFW and CPPr.

VOL2 Lab3 has been released with updated solutions. Lab4 should be coming out this weekend as well.

Routing & Switching:

Look into your VOL2 v5.0 area to see updated Labs 8 and 9 added there. We’re going to post additional four labs this week and then switch back to releasing the updates for CCIE RS v4.0 track.

Voice:

New addition to VOL1 labs of IEWB-VO. Here is the updated list of the new labs:

Read the rest of this entry »

On June 15, 2009, the CCIE Security Lab Exam receives the new Core Knowledge section. To help prepare students for this critical new lab exam component, the CCIE Security Core Knowledge Simulation is now available for purchase.

For more information, or to add the product to your shopping cart, use the link below:

CCIE Security Core Knowledge Simulation

The Beta Test is over! Check out W-INE Radio at:

http://radio.ine.com:8000/listen.m3u

The station features Tech Talks and other fun, educational sessions, as well as CD quality tunes to study by!

The Podcast of our Core Knowledge Section Tech Talk is available at:

http://www.ine.com/podcasts/ckp1.mp3

Do you have programming suggestions? Just e-mail wineradio@ine.com

Hi Everyone,

We’ve just posted a number of new SC and RS VOL1 labs updates (VPN and BGP sections respectively). It’s obviously taking some time to update the existing IEWB-SC VOL1 labs, as we’re adding a lot of new topics and breakdown material. Therefore, we’re changing the update model by focusing primarily on the new topics, as an addition to the existing v3.0 labs. After the “host” stuff has been all covered, we’ll continue updating the existing material. As for the new labs posted under the IEWB-SC VPN section, here is the list:

IOS ezVPN Server
IOS ezVPN Server using VTI
IOS ezVPN Server: Group Lock
IOS ezVPN Server: RADIUS Authorization
IOS ezVPN Server: Per User AAA download with PKI
IOS ezVPN Remote: Client Mode
IOS ezVPN Remote: NEM
IOS ezVPN Remote: VTI
IOS ezVPN Remote: Digital Signatures
ASA ezVPN Server
ASA ezVPN Server: DHCP Address Allocation
ASA ezVPN Server: RADIUS Authorization
ASA ezVPN Server: Per User AAA download with PKI
ASA Clientless SSL VPN
ASA Clientless SSL VPN: Port Forwarding
ASA Clientless SSL VPN: Smart Tunnel

The next “scattered” update will probably focus on the (imho overrated GET VPN, ZFW, DAP, Virtual Sensors, IPs Anomaly Detection and some other “hot” topics. Also, VOL2 Lab3 is coming soon as well. Happy studying!

In this blog post we are going to review and compare the ways in which IOS and ASA Easy VPN servers perform ezVPN attribute authorization via RADIUS. The information on these procedure is scattered among the documentation and technology examples, so I thought it would be helpful to put the things together.

To begin with, let’s establish some sort of equivalence between the IOS and ASA terminology. Even though ASA inherited most of it’s VPN configuration concepts from the VPN3000 platform it is still possible to find similarities between the IOS and the ASA configurations. Recall that IOS ezVPN configuration defines local ezVPN group policy by means of the crypto isakmp client configuration group command. This could be viewed as a rough equivalent to the ASA’s group-policy type internal command, though the ASA’s command scope is much broader. IOS ISAKMP profiles could be viewed as an equivalent to the ASA’s tunnel-group command defining a connection profile.

Read the rest of this entry »

The latest track to receive a Core Knowledge Section is Security.

The new section arrives Jun 15, 2009. INE hopes to have the new CCIE Security Core Knowledge Simulation released on May 20, 2009.

Here is the official Cisco link (which does not say much):

Official Cisco Announcement

Here is some facts about this new section:

• You must complete this portion of the exam before you start the traditional configuration portion.
• You have a total of 30 minutes to complete this section, you may finish early if you like and immediately begin your configuration section.
• You will receive 4 questions via the computer and you must provide short answers using the computer interface. The questions are not oral in nature. Typical responses require 4 to 5 words at most.
• Spelling and/or grammar does not count against you.
• The questions are manually graded by a proctor. If you purchase an exam re-read, they will re-grade your question responses.
• You may not return to the short answer questions once you have begun the configuration portion of the lab exam.
• You will not receive a score when you complete this section, but you must pass this portion to pass the CCIE. You will receive your score in the open-ended section if you fail the exam. The score is reported as 0% or 100% (pass or fail). You may only miss one question in the section in order to pass.
• Most students finish the 4 to 5 questions in approximately 12 minutes.
• The configuration portion of the exam has been reduced to accommodate this initial 30 minutes.
• You still have a total of 8 hours that makeup the open-ended questions and the configuration portion.
• You may not access the DOC-CD to answer these questions.

Hi Everyone,

yesterday we posted another VOL2 lab to all subscribed member’s account. The lab is a full-scale 8 hour mock exam aimed to prepare you for the real CCIE Security exam. The updated material covers the following new features found in CCIE Security v3.0 bluepring: IPSec VTI (Virtual Tunnel Interface), CBAC Enhancements (found in IOS 12.4), NVI (NAT Virtual Interface), GET VPN (Group Encrypted Transport VPN), Control Plan Protection (an enhancement to Control Plane Policing), SNMPv3 (secure form of SNMP). And of course, more updates for IEWB-SC VOL1 and VOL2 are coming this month!

Happy studing!