CCIE Security Lab 1, Steve 1 – I passed!

Greetings Programs!

I sat my second attempt at the CCIE security lab on Monday, March 5th, 2018. This time I got the pass. It was not without a bit of drama.

pass

TL;DR: It’s a very tough exam, harder than you think, harder than you remember. Fight with everything you have until the proctor tells you to stop.

The longer version.

Had the usual anxiety thing in the days leading up to lab day. Did what I could to minimize it. Got ok sleep the night before. On Lab day I wasn’t nearly as nervous as I was in January.

Tshoot.  I came out swinging and quickly solved most of the tickets. Then I had an issue with ISE that left me dead in the water for half an hour. left one ticket unsolved.

Diag was like last time, pretty easy, chance to take a breather and get ready for the main event.

Config started out well, was flying through the first few tasks. Had some annoying issues related to code and platform differences between my personal lab and the actual exam, don’t recall that happening the last attempt.

Then the trouble began.

ISE was acting up, so I attempted to restart it. Application shut down dirty with database errors and would not start. While all this was going on I was trying to work on other stuff and keep moving. Eventually the proctor got ISE running somehow, but the database corruption was an issue and ISE wasn’t adding endpoints to the database, which made several tasks impossible to complete. The lowest point was when he was sending people home, and I knew I didn’t have the points. When he said I could continue I put my head down and kept grinding.

I was just about out on my feet but I kept battling. When I was told I’d have to stop, I looked at my scorecard to add the points, and all the tasks that could be completed were.  Scorecard said I had the points with a small cushion. Would the tasks verify though?

To my amazement I got the email about 3 hours later with the good news.

Much respect to the proctor who probably stayed at work late in order to let me make up the time lost by the ISE debacle. Those folks have a very tough job putting up with us.

Final thought: The CCIE lab is **always** so much harder than you remember it. You can’t simulate what it’s really like. Even after just 7 weeks gap I was going “what the hell!?!”.

Now I get to make things up to my wife and try to lose the 10 lbs of body fat I put on in the final push.

Warmest regards,

-s

SEC-3.3.1 FlexVPN challenge/Exploration lab

Greetings programs!

This is a lab topology I put together in EVE-NG to help me sharpen up my knowledge and skills with IKev2/FlexVPN. The baseline configuration uses pre-shared keys and there’s quite a bit of preconfigure.

 

Screenshot of topology

Here’s a screenshot of the topology.  I’ll give a big shout out to whomever can explain why tunnel 100 between r1 and r2 exists.  🙂

Description

There’s two initial versions in the repo.

  • There’s the actual challenge lab where I removed some bits of config here and there to make it more fun.
  • There’s a partially completed version using pre-share keys.  flex mesh works, the ASA part works, flex client works.  No config on R7.  You could use this as a starting point to work on the tasks in the lab.

Links

 

Challenge lab proper

Challenge lab with working basic config

Fire it up and let me know what you think!  If you get everything working, feel free to do a pull, inject some faults and create some troubleshooting labs.   Here’s the link to the github repo:

Happy labbing!

-s

PKI for Network Engineers (5/?): Online Responder

Greetings Friends!

In this installment of PKI for network engineers, we’re going to install an online responder.  the Online responder implements a lightweight version of OCSP or Online Certificate Status Protocol.  it’s an HTTP based method for entities to check the whether a certificate has been revoked or not. This is an alternative to the Certificate Revocation List (CRL) which is a file that contains a list of all revoked certificates, and can grow quite large over time.

In addition to demonstrating the setup and configuration of the Online Responder, I also demonstrate a handy PKI verification utility called pkiview.

Using pkiview, I review and discuss a couple of mistakes I made in the AIA extensions of My CAs.

If you would like to know more about the Microsoft Online Responder and pkiview, Click the links at the bottom of this post.

Thanks for stopping by, and I look forward to posting the next installment of our awesome lab PKI build.

 

Online Responder installation and troubleshooting guide.

https://blogs.technet.microsoft.com/pki/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview/

IKEv1/v2/IOS/ASA Cheatsheet

Greetings fellow networkers.

This is a cheat sheet to cross reference the differences between the two versions of IKE as implemented on Cisco IOS and ASA.

I used Crypto Maps with pre-shared authentication as the reference example because  Virtual Tunnel Interfaces are fairly new on the ASA and I wanted a broadly applicable baseline.  To apply these to tunnel interfaces is a simple matter of replacing the crypto map with an IPSEC profile and calling that under your tunnel interface.

IKEv2 is not cast in the best light here based on the additional configuration in the example, but understand it has an enormous amount of flexibility and maintains a consistent configuration syntax and workflow for all of the VPN permutations compared to IKEv1, where things were bolted on over time.  Additionally, you need IKEv2 to utilize next generation crypto suites.  There’s really no reason to use IKEv1 in new deployments.

Best wishes,

-s