CCIE Security Lab v3 announced
Cisco finally announced CCIE lab changes
CCIE Security v3 exam blueprints are now available and the new exam is expected to be available in April 2009.
and
Very good thing is the devices are same routers, ASAs, switches, ACS, IPS just latest version…
NO NAC, MARS yeah!!!… strange for me that Certificate Authority Support is not listed.. I would be really surprised if its removed
Funny for me is that I was about to try the lab at end of April :))) I haven’t decided yet but I will go for version 3.. Its more exciting (and more useful) to learn latest technologies .. so Iam really glad I didnt buy any workbook.. Lets wait when main vendors come with v3 workbooks
DENY IP (denyip at linuxmail.org)
QoS for CCIE security
I have just finished my QoS training…. I attended this training because my employer asked me to take over some VOIP projects.. I really like voice technology but its very difficult to study for CCIE security and CCM, unity and other voice staff..
Only one topics where is some overlap is QoS – so what how can be QoS training useful for security???
The course is focused on MQC (modular qos CLI) so I have learnt new staff about traffic policing and shaping, I got better understanding of NBAR (important for mitigating attacks) .. Cisco IOS MQC is also similar to ASA MPF (modular policy framework) so I now understand MPF better
I thing the course was really interesting and I can take advantage from it in my security studies but if you interesting only in security this course is not for you – there is lot of interesting (and tough) topics but useless for security studies (congestion management, link efficiency) etc..
Routing, switching and frame-relay for CCIE security LAB
Maybe (as CCIE security candidate) you are wondering how deep do you need master routing, switching and FR topics. This topics are core for R&S lab but we need quite deep knowledge as well. Before version 2 CCIE security lab was more like CCIE R&S with security features , plus some security device…in version 2 is switching, routing and frame relay pre-configured but it, of course, doesn’t mean we don’t need to know those technologies
What CISCO says ?????
I found following information on Cisco networkers CCIE Security Techtorial – I guess this is from 2006 but its for version 2
The Routers and Switches in Your Topology Are Preconfigured With:
• Basic IP addressing, hostname, passwords
• Switching: Trunking, VTP, VLANs
• Frame Relay: DLCI mapping (static/dynamic)
• Core Routing: OSPF, RIP, EIGRP, BGP
• All pre-configured passwords are ‘cisco’
Security Devices (PIX,ASA,VPN3000, IDS) Are Not Initialized. Candidate Is Required to Do So
I found interesting post on Cisco Netpro (question answered by Yusuf Cisco CCIE security program manager)
“IP routing, basic Layer 2 (basic switching, FR) will be pre-configured on Routers and Switches only. You still have to do some configs on the security appliances (PIX/ASA, IPS, VPN3k). In some occasions, you may also have to do some additional Layer2/3 configs to complete a task. Some questions in the exam relate to troubleshooting skills, which will require you to identify errors in the preloaded configs. These errors could be of any part of your network… It will be a network-wide troubleshooting.”
So it means we need to able identify VLAN misconfiguration , Routing protocols misconfiguration, DLCI number misconfiguration etc….
Lets look to all technologies
SWITCHING
Easiest part for me (and I guess for everyone)… I am quite confident in switching part ( I worked on LANs with more than 1800 PCs so STP, VTP, ether channel, trunks, )
According mentioned Security Techtorial:
following switching features are pre-configured VTP domain, VLAN database, Port-VLAN assignment
No big suprise everyone who practice labs at home or rents labs from a vendor starts with this pre-configuration
We are required to configure catalyst security features like Port Security, 802.1x, AAA, Traffic Control, SPAN, RSPAN so I believe who wants to master this features is familiar with switching fundamentals like spanning tree or VTP
ROUTING
This is more difficult than switching… I don’t mean more difficult as technology (its of course) but more difficult how to determine what skills are needed … Well core routing is pre-configured on routers, but we still need to configure all the routing on ASA firewalls….
But we can be asked to allow RIP, OSPF, EIGRP or BGP THROUGH firewall so we need to know protocol architecture (ports used, multicast IP etc ..)
If we look on routing configuring on firewalls so ASA 7.x supports RIP, OSPF there is no support for BGP and EIGRP comes in version 8.0(2) So it means we need to be really, really familiar what OSPF and RIP features
OSPF on ASA is more IOS like… The security appliance supports the following OSPF features:
•Support of intra-area, inter area, and external (Type I and Type II) routes.
•Support of a virtual link.
•Authentication to OSPF packets (both password and MD5 authentication).
•Support for configuring the security appliance as a designated router or a designated backup router. The security appliance also can be set up as an ABR; however, the ability to configure the security appliance as an ASBR is limited to default information only (for example, injecting a default route).
•Support for stub areas and not-so-stubby-areas.
•Area boundary router type-3 LSA filtering.
•Advertisement of static and global address translations.
Redistribution is supported on ASA you can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP routing process, or from static and connected routes configured on OSPF-enabled interfaces
So if this ASA supports we need to master it – even some features (like ABR) are probably not used in real world scenarios – but it is still CCIE lab so we can expect it … Of course we are not supposed to know every detail as our colleagues from R&S track and I think most of those topics are covered in CCNP material. I think good CCNP knowledge with some routing experience should be enough for routing part of CCIE security
RIP on ASA is much more easier than OSPF – you can enable only one RIP routing process at same time, you can select passive or default mode …..
Don’t forget we are still required to configure routing protocols security features like is AUTHENTICATION (clear text, MD5)..
Of course we are not supposed to know every detail as our colleagues from R&S track and I think most of those topics are covered in CCNP material. I think good CCNP knowledge with some routing experience should be enough for routing part of CCIE security
FRAME-RELAY
Next is FR – according Cisco DLCI are pre-configure as well as FRSW (we dont even have access to frame-relay switch)… I think we should be familiar what FR can be used (spoke, hub and spoke, point-to-pint subinterfaces etc….)
As has been already said, if you practice for the LAB in your home lab or you rent remote labs as first step you need configure L2 stuff… I have never worked in ISP environment so at the beginning my knowledge of the technology was very limited but there is lot of good materials on Cisco website and on Internet
To get familiar with FR topologies you can use free chapters from book Cisco FR Configurations . Also on Cisco website you can find lot of FR examples
DENY IP - road to CCIE security 
2 comments