+ Reply to Thread
Page 1 of 3 1 23 Last
Results 1 to 25 of 56
  1. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #1

    Default My CCIE Security (thread)

    I was debating starting this thread for some time. I am not a blogger but I realized I need a reminder.. so here it is.

    A bit about my background. I started getting involved with network security around 2007-2008 when I was working as network engineer. Over the years, I drifted more and more into the security realm. It became my main focus two years ago.

    Originally, I started studying for CCIE R&S but as my focus shifted so has my studies to CCIE Security. Overall, I am studying for CCIE(s) on and off for a couple of years now. Mostly reading books and watching training videos. I would have continued that trend for years if it wasn't for my team lead at the previous job, who is also CCIE, and my wife. They pushed me to actually take the next step. Albeit, my wife pressured more; she wants me to finally cross the 200K mark.

    I passed written two weeks ago and now waiting on the schedule to show up for December. I plan to make my first attempt in mid December and second end of January.

    As for study plan, I will probably read one more book about ISE (Cisco ISE for BYOD), catch up on GETVPN, take Narbik Zero to Hero on 27 Aug and spend the rest of the time practicing configs.

    For my home lab, I don't have much. I have 1x3560, 2x2950 and 1x1602i AP. Four lab topics can be practiced in GNS3 and using these three switches. For the other two, I bought a server on ebay which comes in today. The server is DL360 G6, dual quad core xeon 2.26GHz, 72GB RAM, 4 NICS, P410 Raid controller and it costed me $91 (+ $50 s&h). Plus 2x300GB SAS 10K RPM disks for $50. I will install esx and then spinup vms ISE, ACS, WSA, WLC, AD and another host for GNS3; will do a breakout from GNS3 to 3560.
    Reply With Quote Quote  

  2. SS -->
  3. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,564

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #2
    One of us! One of us! :P
    BS, MS, and CCIE #50931
    Blog: www.network-node.com/blog
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  4. They are watching you NetworkNewb's Avatar
    Join Date
    Feb 2015
    Location
    Off the grid
    Posts
    2,362

    Certifications
    A+/Net+/Sec+, CCENT, CCNA:Sec, CCSK, GCIH
    #3
    Best of luck with your studies
    Reply With Quote Quote  

  5. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,564

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #4
    Joking aside, I would recommend ditching the ISE for BYOD book. It's probably the oldest ISE book out there. The two critical ones are as follows:
    - Practical Deployment of Cisco ISE (just released late last year and written for 1.4)
    - SISAS OCG - Older book but not as old as BYOD and still largely relevant. It was written for 1.2 but goes into it in more detail than the BYOD book

    Since ISE 2.1 has some new features and enhancements, anything not covered there, you could use something like this: https://communities.cisco.com/docs/DOC-64012


    PM me if you want some good materials on the upcoming Security track
    BS, MS, and CCIE #50931
    Blog: www.network-node.com/blog
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  6. ...loading... gorebrush's Avatar
    Join Date
    Apr 2005
    Location
    UK
    Posts
    2,717

    Certifications
    CCIE:R&S, CCNP:R&S, CCNA:S, MCSE, MCSA:M, MCTSx2
    #5
    Good luck!

    I assume you are aware the lab is changing soon, right?
    Reply With Quote Quote  

  7. Senior Member aftereffector's Avatar
    Join Date
    Dec 2013
    Location
    NC
    Posts
    512

    Certifications
    CISSP, CASP, CCNA R/S, CCNA Security, MCTS
    #6
    Awesome! I'll be following your journey!
    CCIE Security - this one might take a while...
    Reply With Quote Quote  

  8. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #7
    Thanks guys.

    Iris, thanks for the recommendation.

    I am aware that lab is changing. I would like to try v4 because I have experience working with that technology and was studying for it long before the change was announced. Thus the date for the first attempt in early December so I could wait 30 days and schedule another attempt in January if needed.
    Reply With Quote Quote  

  9. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #8
    I just purchased Zero to hero from Micronics which starts on 27 Aug.
    Reply With Quote Quote  

  10. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #9
    1. My server came in on Monday but still isn't setup because of a keyboard... It doesn't recognize USB keyboards during the boot so I can't set iLO and configure BIOS and RAID settings. USB to PS/2 converter doesn't give enough juice to my Razer keyboard and I am too cheap to spend $20 on a keyboard I will use exactly for two minutes. My friend owns a computer shop in the city; I'll borrow one from him today.

    So this week I spent my time labbing in GNS3. I concentrated on GETVPN with and without multiple VRF's, IKEv1 and IKEv2 site-to-site IPsec VPN and a little bit of DMVPN (phase 2). I did some troubleshooting, looking at errors and debug messages. Next week, I will continue with VPNs but with more DMVPN (phase 2 and 3) and will add EZVPN and RA VPN.

    No studying this weekend. Tomorrow is Spartan Super race in PA and taking my kids to a lake on Sunday.

    2. I scheduled lab on the 12th December at RTP.
    Reply With Quote Quote  

  11. ...loading... gorebrush's Avatar
    Join Date
    Apr 2005
    Location
    UK
    Posts
    2,717

    Certifications
    CCIE:R&S, CCNP:R&S, CCNA:S, MCSE, MCSA:M, MCTSx2
    #10
    Quote Originally Posted by Kreken View Post
    Thanks guys.

    Iris, thanks for the recommendation.

    I am aware that lab is changing. I would like to try v4 because I have experience working with that technology and was studying for it long before the change was announced. Thus the date for the first attempt in early December so I could wait 30 days and schedule another attempt in January if needed.

    Yes, I figured this would be your approach. I was tempted to do the v4. If I were to remain at the NOC then I would have gone balls-to-the-wall to finish v4 by end of the year because we use a lot of the technology here.

    As it stands now, I can take a step back and look at v5 at my leisure as opposed to going all out.
    Reply With Quote Quote  

  12. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #11
    That and most likely I will be changing jobs again in the beginning of next year.
    Reply With Quote Quote  

  13. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #12
    Still labbing VPN's and configuring firewalls. I think it was in one of INE's videos the instructor said that VPN's and ASA are the core topics of the lab. I am trying to get them down first before moving on.

    The most likely turned into a definite yes and I will be moving into hands-off consultant architect position in January.
    Reply With Quote Quote  

  14. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #13
    After doing almost exclusively VPNs, I got burned out and had to take a week off. Lesson learned - don't concentrate on one topic only.

    At my work, in VMplayer I setup WLC, ISE and WSA. WSA is still missing license. ISE 1.1 .iso already comes with the trial 90 days license. I have a small switch and ASA on my desk so I can practice a lot of different scenarios.
    Reply With Quote Quote  

  15. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #14
    Last week I contacted Cisco licensing and got 45 day license for WSA; going through Cisco site didn't work for me. At this point, I have almost a complete virtual lab at work.
    Since my last post, I have spent most of my time in IPS, WSA and WLC.
    Ten more days before Narbik's class starts.

    I started reading Optimal Routing Design for work. If anybody can suggest a good design book that doesn't induce apathy and drowsiness after three pages, I would appreciate it.

    Edit: Added a virtual version of Cisco IPS 4200 to GNS3 today. So now I can access it with IME from my desktop.
    Last edited by Kreken; 08-17-2016 at 07:24 PM.
    Reply With Quote Quote  

  16. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #15
    I practiced WSA and system hardening/thread mitigation topics.
    ISE will be my main focus for the next couple of weeks.
    Narbik's workbooks suppose to come in by the end of the week with the lab access given on Saturday. Hopefully, I will find enough time and will to do the workbooks and my own lab scenarios.
    Reply With Quote Quote  

  17. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #16
    The first class was on Saturday. It was mostly a review but I did learn couple of new things. The explanation of the packet processing by ASA was excellent. Sadly, PODs should be ready only on Wednesday. In the meantime, I am re-watching the recorded class session, reading through the workbooks and doing my own labs.
    Reply With Quote Quote  

  18. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,564

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #17
    Nice, you're actually in that class with a bunch of folks I know. Say hi to Steve, Earl, Carlton, Matt D, Daniel, and Jay for me. My recommendation is to give the video 1-2 hours a day so you don't overwhelm yourself. I got more out of the re-watch than the live class due to my ADHD nature.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com/blog
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  19. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #18
    I think mbarrett is there too. Is Daniel you have included the same as aftereffector?

    While looking up some switch commands to configure 802.1x for ISE, I landed on your blog. Great stuff. I have a question for you (ISE is my weakest topic since I haven't worked with it). What is the reason for the selection of those particular vsa's in this article Switch Configuration for ISE dot1x ? Would I chose the same for ip phone or pc?
    Reply With Quote Quote  

  20. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,564

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #19
    Yep. They are there. We actually have a Slack channel where we all bat stuff back and forth about the class and lab it up. I shared my ~500 pages or so of notes with them from the first class. They can tell you how OCD I am about notes. *twitch twitch*

    As far as the switch configuration, you don't need to use EVERY command I put in there since in larger environments, they're redundant and can make it pretty chatty for profiling. The ones I included will give you a couple different items which help in identifying the type of device that is connecting. It's a global setting on the switch so you wouldn't turn it on/off per port. Even if you're going to use nothing but dot1 supplicant capable devices on your network, you would still have SOME profiling to track the device as it connects and get ISE the MAC and IP address of the device. But in almost all cases, not every device in your network is going to have a supplicant. You're going to have "dumb" devices connected such as phones, APs, CCTV cameras, printers, etc and that's where good profiling comes in handy and helps you with the fidelity of the profiling. It should also be paired with a restrictive authorization profiling to prevent any potential security issues
    BS, MS, and CCIE #50931
    Blog: www.network-node.com/blog
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  21. Senior Member aftereffector's Avatar
    Join Date
    Dec 2013
    Location
    NC
    Posts
    512

    Certifications
    CISSP, CASP, CCNA R/S, CCNA Security, MCTS
    #20
    Daniel here!
    CCIE Security - this one might take a while...
    Reply With Quote Quote  

  22. Senior Member mbarrett's Avatar
    Join Date
    Apr 2016
    Location
    DC
    Posts
    265

    Certifications
    CISSP CEH CCNP Security
    #21
    Yeah, I'm in the Z2H. Not bad so far, I'm glad we are easing into the tough parts.
    I'm going to try to take the v4 written before they stop offering it, if I can. Might be too much at once, though.
    Good luck with your studies.
    Reply With Quote Quote  

  23. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #22
    I spent the past couple of days trying to figure out the AAA config. The information below is based on Iris's blog, Cisco docs and videos. This is the bare minimum what needs to be configured on a switch to make it work with ISE. Comments/corrections are welcome.

    MAB
    To enable MAB on a switch you need to do the following:
    1. enable aaa
    aaa new-model

    2. configure ISE server
    aaa group server radius ISE
    server-private 192.168.1.1 key cisco
    ip radius source-interface vlan 1

    3. global authentication server
    aaa authentication dot1x default group ISE

    4. enable mab and authentication under interface
    int fa0/1
    mab
    dot1x pae authenticator
    authentication port-control auto

    MAB+EAP
    1. enable dot1x
    dot1x system auth-control

    2. enable mab and eap under interface
    int fa0/1
    mab eap

    Phone + PC config
    VLANS: While data vlan can be assigned by ISE, voice vlan has to be configured on the interface. The initial ip phone communication with ISE happens over data vlan and after authorization is moved to voice vlan. Assigned data vlan must be configured on a switch.

    To allow phone and pc on one port you need to enable ACL and VLAN assignment from ISE, enable multiple MAC addresses on a port and configure authentication order.

    A. To enable ACL and VLAN assignment from ISE:
    1. configure authorization
    aaa authorization network default group ISE

    2. enable device tracking
    ip device tracking

    3. enable vsa
    radius-server vsa send authentication

    B. To enable multiple MACs:
    int fa0/1
    authentication host-mode multi-domain

    Note on multiple MACs configuration:
    authentication host-mode multi-domain - allows one MAC in data and one MAC in voice vlans
    authentication host-mode multi-auth - allows one MAC in voice and many MACs in data
    authentication host-mode multi-host - authenticates only the first MAC, subsequent MACs are allowed without authentication (wifi controller)

    C. Configure authentication order (mab for phone, dot1x for pc)
    int fa0/1
    authentication order mab dot1x

    Optional - change violation action
    int fa0/1
    authentication violation restrict (default is shutdown)

    Profiling
    Radius communication is always initiated from a client to a server. For profiling to work, ISE needs to be able to initiate the communication. COA is used to change that.

    To configure COA:
    aaa server radius dynamic-authorization
    client 192.168.1.1 server-key cisco
    Reply With Quote Quote  

  24. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #23
    So the class was cancelled for this Saturday. Still no lab access. Neither Piotr or Janet respond to the emails I sent. This doesn't make me a happy camper.
    Reply With Quote Quote  

  25. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,564

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #24
    Piotr is working during the week. I think Janet sent an email out stating that there were electrical issues and you'll be getting lab access next week. It took about 2 weeks before we got lab access for our class too. What happened is that they gave us a month of extra pod access. Since you only did some basic ASA stuff last week, you're not really behind in the labbing part.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com/blog
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  26. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #25
    I got a reply from Janet today. She said they are upgrading the equipment and they will extend the labs access. Problem is my lab date is on 12th Dec.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 3 1 23 Last

Social Networking & Bookmarks