We have had many requests to share this forum post with the blog, so here it is. I also wanted to share a conversation Hadi had with Sales here at INE. I am so proud to be a part of INE! I have so much respect for my fellow instructors - and our incredible students!

Hadi Esper: you can expect a CCIE success story (which i am writing now)

Hadi Esper: thank you

Kady Dennis: Thank you for visiting Internetwork Expert. How may I help you today?

Hadi Esper: Hi Kady, I dont really have any questions to say.. I passed my CCIE R&S (25869) 2 days ago and wanted to say thank you to the sales team who have been very helpful and supportive of me over the last 1 year and 2 months.. i couldnt have made it without your excellent workbooks nor without ur amazing discounts

Read the rest of this entry »

IOS IPS is fair game for the CCIE Security and CCIE R/S labs. With IOS IPS now using v5 signatures, (just like the sensor appliance), the ability to setup up IOS is not as simple, but very important. The intention of this post is to provide a streamlined process to use as a jumpstart into IOS IPS. For full details, examples and explanations, please refer to our lab workbooks. Both RS and Security cover the topic.   Lets get started!

First, we need a place for IPS configuration files to call home. IPS wants a folder. Lets make a directory on the router flash. Optionally if there were other IOS file systems present, we could use those writable file systems as well.

R6#mkdir ips
Create directory filename [ips]?
Created dir flash:/ips
R6#

Read the rest of this entry »

We are putting the final touches together for the CCSP bootcamp that is launching soon.  (PS, it is going to ROCK! ) As I was going through the demo’s on L2 security, I was reminded of how this topic is often an Achilles heel for many CCIE candidates, both R/S and Security.

This blog post is to refresh your memories and provide some examples  for layer 2 security on the Catalyst switch. We will begin with DHCP snooping. Read the rest of this entry »

INE is thrilled to announce the release of CCNA Security for Jan 2010. Pricing, and exact availablity will be announced soon. Here is the outline for this exciting new course. CCIE Routing and Switching students should note how much this course can aid with the version 4.x blueprint!

Module 1: Security Threats

Lesson 1: Attack Mitigation
Lesson 2: Mitigating Worms, Viruses, and Trojan Horse Attacks
Lesson 3: Cisco Self Defending Networks

Module 2: Securing Cisco Routers

Lesson 1: SDM Security Audit
Lesson 2: SDM One-Step Lockdown
Lesson 3: Secure Admin Access
Lesson 4: Securing Router Files

Read the rest of this entry »

Things sure can get spooky in the Troubleshooting section of the new Version 4 Blueprint! Cisco can present a pretty vague issue; give you a very lame diagram; and then really press you for time to solve the Trouble Ticket. In this blog post, I will walk you through this graveyard and attempt to provide some ideas on an efficient and effective approach. For much more detail and practice, our premier products for this exam section are the Volume 4 workbook (currently being edited and improved upon), and the  brand new 5-Day Troubleshooting Bootcamp.

Are you ready to find prefixes that go bump in the night? Here is the sample Trouble Ticket we will attack, and the appropriate portion of the Cisco diagram. You will want to have some scratch paper handy (just like in the actual exam). Diagramming can prove to be more important here then in any exam section. You should practice a diagram now based on the show output that follows.

Read the rest of this entry »

Beginning in October 2009, students will be required to demonstrate mastery of the Cisco IOS Intrusion Prevention System (IPS) for the CCIE R/S track. This blog post introduces candidates to this relatively new security feature. Note this series of blog posts will focus on Tier 1 knowledge. This information allows mastery for the Core Knowledge section and builds a foundation for later mastery at the Command Line Interface.

Intrusion Prevention replaces mere Intrusion Detection from previous IOS versions. IDS for the IOS was certainly nice (you get alerted when a security attack is occurring), but obviously, stopping an attack is much more powerful.

Read the rest of this entry »

Flexible Packet Matching is a new feature that allows for granular packet inspection in Cisco IOS routers. Using FPM you can match any string, byte or even bit at any position in the IP (or theoretically non-IP) packet. This may greatly aid in identifying and blocking network attacks using static patterns found in the attack traffic. This feature has some limitation though.

a) First, it is completely stateless, e.g. does not track the state/history of the packet flow. Thus, FPM cannot discover dynamic protocol ports such as use by H.323 or FTP nor cannot it detect patterns split across multiple packets. Essentially, you are allowed to apply inspection per-packet basis only.

b) Additionally, you cannot apply FPM to the control-plane traffic, as the feature is implemented purely in CEF switching layer. Fragmented traffic is not assembled for matching, and the only inspected packet is the initial fragment of the IP packet flow.

c) IP packets with IP options are not matched by FPM as well, because they are punted to the route processor.

d) Lastly, this feature inspects only unicast packets and does not apply to MPLS encapsulated packets.

Configuring an FPM filter consists of a few steps.

(1) Loading protocol headers.
(2) Defining a protocol stack.
(3) Defining a traffic filter.
(4) Applying the policy & Verifying

Let’s look at every of these steps in depth.

Read the rest of this entry »

I hear the question in Live Bootcamps, and I see it on our forums all the time -  What kind of questions can I expect to come across in the Core Knowledge section of the Lab Exam, and how should I answer them?

Here are some examples of the various question types I believe you can encounter, and my sample responses. I also provide some tips on surviving these buggers.

Question Type 1 – Memorization Type Questions

Q: Your Cisco router has learned a prefix from RIP version 2 and ODR. Which will your router prefer and why?

A: Your Cisco router will prefer the route from RIP version 2 as it possesses the preferable Administrative Distance.

Tip: For questions like this, we need to get back to basics and do some good old fashioned memorization. I suggest making Flash Cards for potential questions of this nature.

Question Type 2 – “Trick” Questions

Read the rest of this entry »

In this post we will give a brief overview of the upgrade path from CCIE Security v2.0 blueprint to v3.0. First off all, let’s start with the good news to everyone who was preparing using the old blueprint: most of things you have learned are incorporated smoothly in the new blueprint. Basically, the only thing to forget is your VPN3k configuration skills Everything else either remains the same or experiences an “incremental update”, like LAN-to-LAN VPNs with IPsec VTI interfaces. Let’s quickly review the changes made to the hardware and how they could potentially affect you.

• Removal of the PIX and VPN3k devices, which is natural as both are EOL and EOS. Therefore, forget all about VPN3k menu system and enjoy the simpler topology without the PIX However, to some people, getting a PIX is more affordable than getting an ASA. In this case, remember that the latest software release supported by the PIX is 8.0(4) (not the 8.1) and you cannot configure SSL VPN on PIX. Still, you can practice almost 90% of all the firewall features using the PIX.
• Change from the Catalyst 3550 to 3560 models. From the security features standpoint, nothing has seriously changed. You can even continue using the older 3550 model, as they are probably cheaper to get nowadays.
• The so much awaited upgrade from IOS 12.2T to IOS 12.4T. First of all, this might require a change in the hardware platforms you are using. If you were using non-ISR or non-2600XM routers, you will need to change the hardware platform to at least 2600XM with full flash/RAM memory (to run the Advanced Security feat. set) or the 1841 ISRs. Note that using Dynamips you can play with all 12.4T features without getting your hands around any real gear. Secondly, 12.4T introduces a ton of new features, as compared to the dusty 12.2T. However, it’s not that scary as it might look like. Most of the new security features relate to IOS PKI, some AAA enhancements, bunch of advanced VPN topics and infrastructure security. Probably, all the most notable features are VPN/Firewall related: IPsec VTI, WebVPN/SSL VPN support in IOS, DMVPN Phase3, GET VPN; Zone-Based and Transparent firewall, CBAC enhancements. Later in this document we will see those features detailed as the upgrade list of the new SC VOL1 labs.
• ASA software upgrade from 7.x to 8.x. While is a major version jump, it does not imply the huger change in the CLI as it was with the upgrade from 6.x to 7.x. There is quite a bunch of new features in 8.x code (you will see the list later) but most of them are minor ones. Most likely you will enjoy things like Dynamic Access Policies, LDAP Authentication and Authorization, Secure Desktop Enhancements, EIGRP Support (who needs that?:), Transparent Firewall NAT and Traffic Shaping. However, if you are solid with the code version 7.x you wont face big problems mastering the new topics.
• IPS software upgrade from 5.1 to 6.1 and the platform change to 4240. The catch here is that IPS v6.1 does not support many older IDS/IPS appliances, such as 4215 or 4235 and getting a 4240 might be expensive. However, there is some good news still. The CLI has not changed as much as it did with the 4.x to 5.1 upgrade, and all your 5.1 knowledge remains valid and up to date. The most notable new features are Virtual Sensors, Anomaly Detection, Threat Rating and the new IPS Manager Express. If you are OK with doing all your configurations via CLI, you can stick with IPS v6.0 which you could run on the older platforms (4215, 4235) as there are just minor differences between 6.0 and 6.1 (mostly related to IPS Manager Express). Probably the best news is that the old 4215 platform could be successfully emulated in VMware.

Now, let’s look at the v2.0 to v3.0 upgrade path that you can take with out products. Below is the list of the VOL1 technology labs. You can see the outdated topics being deleted and the new topics (which are being developed) highlighted. Naturally, many older labs remain perfectly valid for the new track, and you can continue practicing them while waiting for the upgrade being released. We also decided to keep the NAC labs, even though NAC is not on the current blueprint, mostly because it gives you a perfect scenario for advanced ACS configuration. Of course, if you own our current v2.0 products, you will receive the v3.0 updates free of charge.

Read the rest of this entry »

One of my student friends from Cisco RTP suggested a great weekly addition to our blog – a sample task from a Mock Lab to challenge the blog faithful. Cool idea! Love it! To not spoil your fun when taking our Mock Labs, these tasks have been written special so that there is no carryover.

My first installment is a topic that could easily appear on either the R/S Lab or the Security Lab. Enjoy! You are more than welcome to post your suggested solution in the comments. I will wait a week and then post a solution in there myself – along with some explanation text. If you enjoy this new blog installment, you should check out our products, because they are even better!

Here we go!

8.0 Security

8.1 DoS Protection

You are concerned about DoS attacks against a key perimeter router in your company. Configure R1 so that it limits the aggregate rate of ARP traffic toward the route processor to 75 packets per second. Routing control traffic marked with an IP Precedence value of 6 should be limited to 100 packets per second.

2 points

NOTE: The solution and walkthrough are posted in the comments below dated February 6, 2009. Once again, this is a fraction of what you receive in our products!