CCIE Security Advanced Technologies Class

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	In our next section here for the asa we are going to look at its high availability options
0:00:18	which are going to include both link level high availability
0:00:22	and node level high availability
0:00:24	when we are looking at dynamic routing
0:00:27	reliable static routing returning interfaces and fail over
0:00:33	now the first of these in high availability for an individual link
0:00:38	we are to look at the basic routing logic
0:00:41	of the device
0:00:42	where dynamic routing with rip
0:00:44	or eigrp or ospf
0:00:46	could be considered a high availability mechanism
0:00:49	that if we have multiple outside interfaces
0:00:52	or multiple inside interfaces
0:00:54	simply based on the change of the dynamic routing domain
0:00:59	we are going to be able to heal the network around failures
0:01:02	so if we have two outside interfaces both running ospf
0:01:06	one of them goes down just based on the nature of ospf reconvergence we should be able to switch over to the secondary line
0:01:13	the same would be true if we were doing reliable static routing
0:01:17	so based on that example that we were doing with the sla tracking
0:01:22	then tying that to the enhanced object tracking
0:01:25	if we had multiple outside interfaces
0:01:27	we can use one as a primary
0:01:29	then if its gateway went down
0:01:32	based on the sla measurement
0:01:34	we can report that to the enhanced object
0:01:37	the enhanced object will then report itself as down
0:01:40	which would remove the primary static route from the routing table
0:01:44	which would then allow us to have our floating static route out the secondary interface being stopped
0:01:51	now the additional topics that we have not touched on so far
0:01:55	that are related to high availability
0:01:57	start with the redundant interfaces
0:02:00	which is binding multiple physical interfaces together
0:02:04	to look like their product the same logical group
0:02:08	so this would follow with the link level high availability
0:02:12	where we can have a redundant interface thats running dynamic routing over it
0:02:15	or running static routing
0:02:17	or reliable static routing over it
0:02:20	or if one of the physical links
0:02:22	that are in the redundant bundle goes down
0:02:25	we would be able to start forwarding traffic to the other
0:02:28	redundant interface
0:02:30	now from a node level reliability
0:02:34	that if the entire platform goes down
0:02:36	this is where failover is going to come in
0:02:39	and we are going to look at 4 different variations of fail over
0:02:42	active standby in routing and transparent mode
0:02:45	and active active in
0:02:48	multi context and single context mode
0:02:51	on active active in multi context routed
0:02:54	and active active in multi context transparent
0:03:00	now for the redundant interface configuration
0:03:03	or simply taking multiple links
0:03:05	and grouping them together as one logical interface
0:03:09	so instead of saying interface ethernet 00 or interface management 0
0:03:14	we are going to say interface redundant
0:03:17	and give it a locally significant number
0:03:19	from here we will then assign member interfaces
0:03:23	which are the physical links that actually make up the bundle
0:03:27	then from the interface redundant
0:03:29	this is where all of our logical configuration would go
0:03:33	so anything thats related to the ip addressing
0:03:36	he name if
0:03:38	access list
0:03:39	thats at the configuration is going to
0:03:42	reference from the redundant interface
0:03:45	now one thing that is different about this when we compare it to
0:03:49	like an ether channel in catalyst switching
0:03:52	is that only one interface can be active at a time
0:03:56	so this is not a load balancing feature like ether channel is
0:04:00	its simply just a basic redundancy
0:04:02	that one of the physical links is
0:04:04	that act of fore header for the bundle
0:04:06	and if that active foreheader goes down
0:04:09	whatever is the next one in line is going to take over as the active status
0:04:16	now the physical interfaces
0:04:19	that make up the redundant bundle
0:04:21	this is where we are going to define any of our physical parameters
0:04:26	so similar to where we saw in the multiple context mode
0:04:29	where the physical parameters go in the system context
0:04:32	the physical parameters of the any redundant interface
0:04:36	likewise its going to go on those physical links
0:04:38	so things like the speed or the duplex
0:04:40	where the link is shut down or enable
0:04:44	thats going to go under the physical line
0:04:46	now the redundant interface is going to have any of the logical parameters
0:04:51	like the name the security level the ip address etc
0:04:56	the redundant interface since it does need a layer 2 address to forward
0:05:00	its going to use the mac address of whatever
0:05:02	is the first member in the bundle
0:05:06	now just like we saw with the
0:05:08	the multi context mode
0:05:10	we can manually change
0:05:12	the mac address if we wanted to
0:05:14	andthat would be done under the interface redundant
0:05:21	so lets look at this in our particular case here
0:05:25	with asa 2
0:05:27	that has its connection that is going to the outside
0:05:31	so we have one interface here ethernet 0/0
0:05:34	thats connecting to vlan 122 towards router 2
0:05:40	now what i want to do here is specify that in addition to ethernet 0/0
0:05:45	being the outside interface
0:05:47	i want ethernet 0/2
0:05:50	to be part of the same redundant interface bundle
0:05:54	and then we could use
0:05:55	one of them to forward
0:05:57	as long as atleast one of the physical links is up
0:06:00	so if the primary link goes down we should see immediately that the secondary link is going to take over
0:06:06	now in order to do this we would first need to make sure that our underline layer 2 configuration is correct
0:06:13	so whatever the vlan configuration whatever the other options are
0:06:17	at the interface thats connecting the asa to ethernet 0/0
0:06:22	i want to make sure to replicate that
0:06:24	to our ethernet 0/2
0:06:26	is attaching
0:06:29	where in this particular case
0:06:31	both of them are going to physically attach to
0:06:33	switch 2
0:06:37	so on switch 2 here if we look at the show interface
0:06:40	status
0:06:41	and again i am just going to exclude the ones that are not
0:06:44	connected
0:06:48	or not connect
0:06:51	we could see that asa 1 ethernet 0/0
0:06:54	is in right now its in vlan
0:06:58	122
0:07:01	and i want to make sure that the second interface thats going to be part of the redundant bundle
0:07:06	as the same identical configuration
0:07:08	so on fast ethernet 0/15 here i need to make sure this is in vlan 122 as well
0:07:15	so just lets take a look at the configuration that say show run interface
0:07:19	fast ethernet 14
0:07:21	whatever this is this is what i need to replicate on to
0:07:25	fast ethernet 15
0:07:32	fast ethernet 15 so on this link
0:07:36	like wise its going to be an access port in vlan 122
0:07:41	so now when they are part of the bundle
0:07:44	they are going to be in the same broadcast domain
0:07:47	now there can be some design issues if you are combining redundant interfaces
0:07:53	along with failover at the same time
0:07:56	which in the case that
0:07:58	if the redundant interfaces are physically connected
0:08:02	between the
0:08:04	the failover pair
0:08:05	you can end up in some odd designs
0:08:08	where if
0:08:10	asa 1
0:08:13	and asa 2
0:08:15	are connected together
0:08:17	with links that are running in failover
0:08:20	but they are also
0:08:21	in a redundant interface pair
0:08:25	you can end up in the situation that if asa 1 has links 1 and 2
0:08:30	and asa 2 has links 3 and 4
0:08:34	that if
0:08:37	this is the primary link on asa 1
0:08:40	and this is the primary link on asa 2
0:08:43	you end up with a cant communicate with each other
0:08:46	because they are not agreeing on which interface they are supposed to forward
0:08:50	so if you do end up in this type of design
0:08:53	where you are trying to combine the failover and the redundant interfaces at the same time
0:08:57	its ok to do this
0:08:59	as long as you do not connect the links in a back to back fashion like this
0:09:04	what you should do instead with this type of design
0:09:06	is have an additional layer 2 switch between them
0:09:12	so then regard this whichever
0:09:14	physical link is forwarding for the pair
0:09:17	if asa 1 is forwarding here
0:09:19	and asa 2 is forwarding here
0:09:21	its going to be up to the layer 2 switch in its cam table
0:09:25	to figure out how the traffic is actually going to be exchanged between them
0:09:29	so in this case if the asa wants first link goes down
0:09:33	its ok because the switch is going to be able to change this over
0:09:37	simply based on its
0:09:38	spanning tree topology
0:09:43	now in our particular design we do not have this case because we are just using
0:09:47	two interfaces to connect to the same
0:09:50	segment so if we look at the
0:09:52	the show interface status again
0:09:58	the links
0:10:01	e0/0 and e0/2
0:10:04	on asa 2 they are both connected to
0:10:06	vlan 122
0:10:09	now when we look at the asa s config
0:10:13	so right now its blank i need to load the
0:10:17	the reference config we were using
0:10:32	now before i configure the redundant interface pair i just want to make sure that asa 2 actually does have reachability on that link
0:10:38	when i am using the
0:10:41	the primary interface
0:10:44	so from here if we simply ping on the outside
0:10:46	router 2s address here is 200.0.122.2
0:10:51	here we do have connectivity
0:10:53	if we look at our routing
0:10:56	we see that we are learning dynamic routes on the outside
0:10:59	these are the ospf routes we are learning from router 2
0:11:02	and then also on the inside we have eigrp running
0:11:06	so ideally whats going to happen here
0:11:09	is that
0:11:11	from the rest of the perspective of the routing topology or any other transit traffic
0:11:16	the devices that are transending over asa 2
0:11:19	they dont really care whether we are using ethernet 00 or e0/2
0:11:24	because all of the layer 3 configuration
0:11:27	is going to be replicated on the redundant interface
0:11:31	this means that the routing process is going to be running on the redundant interface
0:11:35	if we were doing things like the routing authentication
0:11:38	or changing any of the layer 3 parameters
0:11:41	although that stuff is going to go under interface redundant
0:11:44	as opposed to the physical lan
0:11:48	so now what i need to do here
0:11:50	is whatever i have on ethernet 0/0
0:11:53	this now needs to move to the redundant link
0:11:57	so i will say here clear configure interface ethernet 00
0:12:04	we look at the running config now its back to its default
0:12:08	now from this link
0:12:11	e00 and the link e02
0:12:14	the only thing that i really need to do here
0:12:16	is just to make sure that they are not in the shut down state
0:12:19	and that the speed in the duplex are correctly assigned
0:12:22	where in this case they are using on a negotiation
0:12:25	thats going to be fine for our particular case
0:12:29	so next we are going to configure interface redundant
0:12:33	give it any local value i'll say this is interface redundant 1
0:12:36	and now i need to know who are the members
0:12:39	that are going to be part of this
0:12:41	in my case i want e00
0:12:43	and e02
0:12:46	from here
0:12:48	any of the other configuration that i previously had on the physical link
0:12:53	this is now going to go on interface redundant
0:12:58	so its a fairly straight forward implementation
0:13:02	where we are just referencing what are the members and the rest of the logic of the config is going to go here
0:13:07	when we look at the routing table
0:13:09	we should see that we are now going to reform our routing adjacency on the
0:13:15	outside interface
0:13:18	but the routing table does not care that the outside interface is actually made up of multiple physical links
0:13:25	so now if we look at the actual transit traffic
0:13:28	lets say that we were to go to router 6
0:13:31	and i am going to telnet out to router 3
0:13:35	so this is going to be
0:13:38	and active tcp connection that is going to be
0:13:41	ideally failing over from the one physical link to the second
0:13:45	so on router 6 i will telnet to 200.0.0.3
0:13:50	we get connectivity this means we are routing through the asa
0:13:55	if i were to say
0:13:57	show tech support
0:13:59	its going to generate a bunch of
0:14:01	bunch of telnet traffic
0:14:03	so on asa 2 if we look at the show
0:14:06	connections
0:14:08	we see that the mpf is doing the inspection
0:14:11	says that the traffic from 200.0.0.3
0:14:15	supposed to be coming in on
0:14:17	the outside interface
0:14:19	through turning back to router 6
0:14:22	now if we look at the show
0:14:28	show interface redundant
0:14:31	redundant 1
0:14:36	says right now the member interface that is active
0:14:40	is ethernet 0/0
0:14:43	so lets try logging on here say login console 7
0:14:46	and login on
0:14:48	now remember this e0/0 here
0:14:52	on
0:14:54	asa 2
0:14:55	this is the link that is connecting to fast ethernet 14
0:14:59	on switch 2
0:15:02	so what we should ideally see is that if this link goes down
0:15:06	that the
0:15:07	telnet session
0:15:09	does not drop so its not going to have to rebuild the connection
0:15:13	and it should almost immediately fail over to the new one
0:15:17	so lets shut that link down
0:15:19	we look at router 6 we actually don't even miss any traffic
0:15:23	an asa 2
0:15:25	it says that
0:15:28	ethernet 0/0 change to down
0:15:30	so ethernet 0/2 now becomes active in the redundant interface
0:15:35	we look at the
0:15:38	the show interface redundant 1
0:15:43	says now the active member is e0/2
0:15:49	the other thing we could also want to take into account for this high availability designs
0:15:54	is any additional convergence
0:15:57	that you could potentially have in the layer 2 network
0:16:01	because from ever when we are looking at this diagram
0:16:04	this is not really a true representation of what the physical network looks like
0:16:08	this is a representation of what the logical layer 3 topology is
0:16:13	which is things like our vlans, our ip subnets , our frame within pvc s ?????
0:16:19	this does not really tell us how the network is physically wired
0:16:22	so usually when you are looking at documentation of the network
0:16:25	you are going to have 2 separate sets
0:16:27	one thats the physical network
0:16:29	and then one that is the resulting logical network based on the actual configuration
0:16:35	but if we think about whats going on here
0:16:37	on the connection from
0:16:40	asa 2
0:16:42	on
0:16:44	e0/2
0:16:46	and e0/0
0:16:49	these are physically attaching to switch
0:16:51	2s port
0:16:54	fast ethernet 14
0:16:58	and fast ethernet 15
0:17:02	then router 2s interface here
0:17:04	fast ethernet 0/0
0:17:08	is actually connecting to
0:17:10	another switch this is connecting to switch 1s
0:17:16	port fa 0/2
0:17:18	then there is some trunking thats going on in between them
0:17:23	now if i am trying to get high availability between asa 2 and router 2
0:17:28	not only do i need to take into account
0:17:30	how long is it going to take the asa
0:17:32	to figure out that this link is down
0:17:35	but also
0:17:37	how do i make sure that the
0:17:39	convergence of the new link
0:17:41	is going to be fast
0:17:44	so this would mean if i was doing layer 2 networking here trunking between switch 1 and switch 2
0:17:49	ideally it would want to be running
0:17:51	rapid spanning tree protocol
0:17:53	in either of the multiple spanning tree variant
0:17:56	or the per vlan rapid per vlan the cisco variant
0:18:01	to make sure that when the primary link goes down
0:18:04	that we can immediately continue for running over the secondary line
0:18:09	and this is going to be the same case for failover
0:18:12	if i had asa 2
0:18:15	that has some link thats going to one of the switches
0:18:18	and then i am also trying to connect to asa 1
0:18:22	i want to make sure that if this link goes down
0:18:26	that when the
0:18:28	primary device goes down and the standby device takes over
0:18:33	then i want to make sure that is going to failover is as quickly as possible
0:18:37	so this would include
0:18:39	our layer 2 options like the
0:18:45	the negotiation of the particular link which in this case is the fast ethernet 14 and 15
0:18:55	so what i would typically want to say
0:18:57	in addition of this here
0:18:59	is that these links should be running as edge ports
0:19:02	from spanning trees point of view
0:19:05	which is going to be configured with the spanning tree port fast command
0:19:08	then we will look at the
0:19:11	the actual spanning tree mode
0:19:13	generally we would want to make sure that the network is either running
0:19:16	rapid per vlan spanning tree
0:19:18	or multiple spanning tree which inherently is
0:19:21	running rapid spanning tree as well
0:19:24	so some of this stuff is kind of outside the scope of security
0:19:29	but if you are trying to design high availability
0:19:32	you have to make sure you are taking into more
0:19:34	taking more of this into account
0:19:36	then just from the application point of view
0:19:39	which in this case the application would be the asa
0:19:42	i am making sure if one of the links fails
0:19:45	that the secondary link can take over
0:19:47	or that the separate entire chasy can take over
0:19:53	now if you want do want to get more information on this
0:19:56	what i would recommend
0:19:57	is
0:19:58	as part of the
0:20:00	the solutions reference network design guides
0:20:03	that i was mentioning before which are the srnbs
0:20:07	there is a cisco campus
0:20:10	high availability
0:20:12	design guide
0:20:15	campus networks for high availability design guide
0:20:18	and as i mentioned this doesn't necessarily relate directly to security
0:20:22	but since in the world of security we still need to deal with the network infrastructure
0:20:27	you really do need to understand what is going on below the applications
0:20:31	so things like at layer 4 , 3 and 2
0:20:34	and then down to the actual redundancy of layer 1
0:20:38	so this talks about
0:20:41	things like the layer 2 redundancy like i was mentioning things about spanning tree
0:20:46	trunking
0:20:47	how things like dynamic trunking protocol
0:20:50	could have an affect on your
0:20:51	your convergence
0:20:53	then things like our
0:20:55	first our redundancy protocols
0:20:57	and layer 3 routing
0:20:58	how thats going to have an affect on the
0:21:01	high availability
0:21:05	so again not directly whether you took the security
0:21:07	but from an overall network design point of view
0:21:10	you do need to take this into account anytime you are trying to do a high availability design

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

ASA Redundant Interfaces

Create Bookmark