Routing, switching and frame-relay for CCIE security LAB
Maybe (as CCIE security candidate) you are wondering how deep do you need master routing, switching and FR topics. This topics are core for R&S lab but we need quite deep knowledge as well. Before version 2 CCIE security lab was more like CCIE R&S with security features , plus some security device…in version 2 is switching, routing and frame relay pre-configured but it, of course, doesn’t mean we don’t need to know those technologies
What CISCO says ?????
I found following information on Cisco networkers CCIE Security Techtorial – I guess this is from 2006 but its for version 2
The Routers and Switches in Your Topology Are Preconfigured With:
• Basic IP addressing, hostname, passwords
• Switching: Trunking, VTP, VLANs
• Frame Relay: DLCI mapping (static/dynamic)
• Core Routing: OSPF, RIP, EIGRP, BGP
• All pre-configured passwords are ‘cisco’
Security Devices (PIX,ASA,VPN3000, IDS) Are Not Initialized. Candidate Is Required to Do So
I found interesting post on Cisco Netpro (question answered by Yusuf Cisco CCIE security program manager)
“IP routing, basic Layer 2 (basic switching, FR) will be pre-configured on Routers and Switches only. You still have to do some configs on the security appliances (PIX/ASA, IPS, VPN3k). In some occasions, you may also have to do some additional Layer2/3 configs to complete a task. Some questions in the exam relate to troubleshooting skills, which will require you to identify errors in the preloaded configs. These errors could be of any part of your network… It will be a network-wide troubleshooting.”
So it means we need to able identify VLAN misconfiguration , Routing protocols misconfiguration, DLCI number misconfiguration etc….
Lets look to all technologies
SWITCHING
Easiest part for me (and I guess for everyone)… I am quite confident in switching part ( I worked on LANs with more than 1800 PCs so STP, VTP, ether channel, trunks, )
According mentioned Security Techtorial:
following switching features are pre-configured VTP domain, VLAN database, Port-VLAN assignment
No big suprise everyone who practice labs at home or rents labs from a vendor starts with this pre-configuration
We are required to configure catalyst security features like Port Security, 802.1x, AAA, Traffic Control, SPAN, RSPAN so I believe who wants to master this features is familiar with switching fundamentals like spanning tree or VTP
ROUTING
This is more difficult than switching… I don’t mean more difficult as technology (its of course) but more difficult how to determine what skills are needed … Well core routing is pre-configured on routers, but we still need to configure all the routing on ASA firewalls….
But we can be asked to allow RIP, OSPF, EIGRP or BGP THROUGH firewall so we need to know protocol architecture (ports used, multicast IP etc ..)
If we look on routing configuring on firewalls so ASA 7.x supports RIP, OSPF there is no support for BGP and EIGRP comes in version 8.0(2) So it means we need to be really, really familiar what OSPF and RIP features
OSPF on ASA is more IOS like… The security appliance supports the following OSPF features:
•Support of intra-area, inter area, and external (Type I and Type II) routes.
•Support of a virtual link.
•Authentication to OSPF packets (both password and MD5 authentication).
•Support for configuring the security appliance as a designated router or a designated backup router. The security appliance also can be set up as an ABR; however, the ability to configure the security appliance as an ASBR is limited to default information only (for example, injecting a default route).
•Support for stub areas and not-so-stubby-areas.
•Area boundary router type-3 LSA filtering.
•Advertisement of static and global address translations.
Redistribution is supported on ASA you can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP routing process, or from static and connected routes configured on OSPF-enabled interfaces
So if this ASA supports we need to master it – even some features (like ABR) are probably not used in real world scenarios – but it is still CCIE lab so we can expect it … Of course we are not supposed to know every detail as our colleagues from R&S track and I think most of those topics are covered in CCNP material. I think good CCNP knowledge with some routing experience should be enough for routing part of CCIE security
RIP on ASA is much more easier than OSPF – you can enable only one RIP routing process at same time, you can select passive or default mode …..
Don’t forget we are still required to configure routing protocols security features like is AUTHENTICATION (clear text, MD5)..
Of course we are not supposed to know every detail as our colleagues from R&S track and I think most of those topics are covered in CCNP material. I think good CCNP knowledge with some routing experience should be enough for routing part of CCIE security
FRAME-RELAY
Next is FR – according Cisco DLCI are pre-configure as well as FRSW (we dont even have access to frame-relay switch)… I think we should be familiar what FR can be used (spoke, hub and spoke, point-to-pint subinterfaces etc….)
As has been already said, if you practice for the LAB in your home lab or you rent remote labs as first step you need configure L2 stuff… I have never worked in ISP environment so at the beginning my knowledge of the technology was very limited but there is lot of good materials on Cisco website and on Internet
To get familiar with FR topologies you can use free chapters from book Cisco FR Configurations . Also on Cisco website you can find lot of FR examples
