|
0:00:01
|
|
|
0:00:13
|
In this section we are going to talk about some of the different preparation resources that you can use for security
|
|
0:00:19
|
that include not only different recommended
|
|
0:00:21
|
readings like CISCO press books & vendor independent books.
|
|
0:00:25
|
But lot of free resources that are available on CISCO’S website
|
|
0:00:29
|
both in the form of the technology documentation and the product documentation.
|
|
0:00:35
|
Now for recommended books
|
|
0:00:38
|
you will find a large list thats on both our website
|
|
0:00:42
|
and on the CCIE website some of the common text like CISCO ASA
|
|
0:00:48
|
on firewall guide is really good.
|
|
0:00:51
|
There is a new one that is called just CISCO firewalls
|
|
0:00:55
|
that covers both the zone based policy firewall in IOS
|
|
0:00:57
|
and the ASA some of these you will see a little bit older like the IP sec,
|
|
0:01:03
|
VPN design guide or network security architectures.
|
|
0:01:08
|
But unfortunately there is not really one book overall
|
|
0:01:11
|
that covers all the topics that are needed for security
|
|
0:01:15
|
and specifically for the security CCIE exam.
|
|
0:01:19
|
What I would recommend to do though,
|
|
0:01:21
|
instead of buying every single one of these books.
|
|
0:01:24
|
If you haven’t already take a look into the safari online website
|
|
0:01:30
|
If you haven’t already take a look into the safari online website
|
|
0:01:40
|
Where this website is the publisher of the CISCO press
|
|
0:01:44
|
and then a lot of other technology books that you would normally see in the book store.
|
|
0:01:51
|
What is really nice about this as compared to either using
|
|
0:01:57
|
like documentation on CISCO’s website or the printend resources
|
|
0:02:00
|
is that you have the option to search not only the titles of books
|
|
0:02:07
|
but all of the content that is inside of the books.
|
|
0:02:11
|
There are couple of different subscription levels that you can get.
|
|
0:02:14
|
One is going to give you limited access to certain number of books that you choose
|
|
0:02:19
|
the other one that I have on my account here is basically accessed to everything,
|
|
0:02:24
|
and it also gives you access to the books before they actually go into printed production, before they actually get published.
|
|
0:02:31
|
You see those are the rough cuts and short cuts they called.
|
|
0:02:36
|
But specially for like the CCIE lab exam if you’re looking for a very specific topic,
|
|
0:02:43
|
you may not sit down for 2 hrs and read a book on ASA
|
|
0:02:48
|
and read the general things about what a firewall is what a security policy is
|
|
0:02:53
|
I may be looking for something very specific.
|
|
0:02:56
|
Let say how do I do, active-active failover, when I am doing multiple contacts.
|
|
0:03:01
|
So here I will just search for ASA “active active failover”
|
|
0:03:07
|
and its going to bring it over the particular book
|
|
0:03:10
|
and also the individual section in the chapter that it talks about that.
|
|
0:03:15
|
So here the second one is mention ASA all-in-one guide
|
|
0:03:19
|
is really a good book about the ASA
|
|
0:03:22
|
and that brings me specifically to that section
|
|
0:03:26
|
that’s talking about the failover configuration.
|
|
0:03:30
|
So this is going to give me some examples of how I actually implement the failover.
|
|
0:03:36
|
Now of course the greatest advantage of this is
|
|
0:03:39
|
that if you spend tons of time reading on your computer screen you may not want to look at all these in a electronic format or in a printed format.
|
|
0:03:49
|
One thing that I found that is that
|
|
0:03:51
|
the newer versions of the kindle or some of the other e-reader
|
|
0:03:57
|
have web browsers built into them now,
|
|
0:04:00
|
so if you have a safari account you could go, through the web interface on your kindle,
|
|
0:04:05
|
and then you can read all of the books instead of buying the actually e-books versions.
|
|
0:04:11
|
And if does take a little bit of used to,
|
|
0:04:14
|
but it definitely better now that then it has been ever in the past
|
|
0:04:17
|
with the formatting of the websites or the text on the e-readers.
|
|
0:04:23
|
Now there is also a lot of vender independent books on here.
|
|
0:04:28
|
If you are to just search for e……rrrr, lets say IP sec,
|
|
0:04:35
|
most of these your going to see is CISCO press books
|
|
0:04:38
|
but here, is just one generic VPN’s.
|
|
0:04:43
|
IP sec – The New Security standard for the Internet,
|
|
0:04:46
|
so this will be a standard based implementation book.
|
|
0:04:51
|
So many want to co-relate on with the Amazon or choose to read through any of these completely
|
|
0:04:58
|
but they also do have here is search for lets say Cisco Cookbook,
|
|
0:05:13
|
these books that you see them on the bookstore
|
|
0:05:14
|
is on all sorts of topics have like these animals on the cover, they all look similar to these, you will find this that there is a lot of good technology information in
|
|
0:05:24
|
these type of books, these are actually the O’reilly books,
|
|
0:05:27
|
but there is a lot of other information on here other than the just the Cisco Press ones,
|
|
0:05:33
|
So you may want to go to the CCIE website. You go to cisco.com/go/ccie,
|
|
0:05:41
|
then under security then to there recommended book list.
|
|
0:05:48
|
But you can see it’s a lot of different stuff like recommending you read.
|
|
0:05:52
|
So you wouldn’t necessarily wanna sit and read all of these cover the cover
|
|
0:05:56
|
but again the great thing about the safari is that the vast majority of these are already on them
|
|
0:06:00
|
and then you could just sort through, search through them and figure out what is the particular chapter that is relevant there.
|
|
0:06:07
|
Now you could see is also does assume that you know some other generic routing topics things like ROUTING TCP/IP volume 1 and 2.
|
|
0:06:17
|
This does not relate to directly to security,
|
|
0:06:20
|
but if you don’t know how IP routing works
|
|
0:06:22
|
you don’t know how layer 2 technologies work,
|
|
0:06:24
|
like I mentioned before,
|
|
0:06:25
|
then you are going to have some difficulty figuring out why is my IPSec VPN not working
|
|
0:06:31
|
or why is this DM VPN tunnel not working
|
|
0:06:33
|
may its related to a layer 2 problem, may its related to a basic layer 3 routing problem
|
|
0:06:39
|
so hopefully at this point, you do have that basic understanding of layer 2 and layer 3 networking
|
|
0:06:45
|
and then you can focus more on just the security type topics.
|
|
0:06:51
|
So in addition to this long book list,
|
|
0:06:54
|
another thing that is a free resource
|
|
0:06:57
|
is the technology documentation on cisco’s website,
|
|
0:07:02
|
now the technology documentation is different from the normal documentation CD
|
|
0:07:07
|
which would be considered the product documentatation,
|
|
0:07:11
|
where the technology documentation is going to have different things
|
|
0:07:13
|
like links to RFCs, design guides, frequently asked questions,
|
|
0:07:19
|
things that are just generically related to the topic,
|
|
0:07:22
|
to the technology, not the actual product that being implemented on.
|
|
0:07:28
|
So if you go to cisco’s main website,
|
|
0:07:31
|
and I am sure you know that the navigation path for the website changes all the time,
|
|
0:07:36
|
but in general if you go upto support
|
|
0:07:41
|
and then all the way down to the bottom,
|
|
0:07:44
|
if you go to configure,
|
|
0:07:47
|
this is the main documentation page that we are going to be using.
|
|
0:07:51
|
Now within the scope of this CCIE lab exam,
|
|
0:07:54
|
this is what your home page would be set to,
|
|
0:07:56
|
when you open your web browser,
|
|
0:07:59
|
so i would book mark this page or setup this to be your homepage
|
|
0:08:02
|
all the navigation paths we are going to be going through in this class
|
|
0:08:06
|
are going to start from this main page,
|
|
0:08:08
|
that is the Select Your Product or Technology.
|
|
0:08:13
|
Now for the technology documentation,
|
|
0:08:16
|
we are going to start from that configuration page,
|
|
0:08:19
|
go to technology, security, then we have the individual topics,
|
|
0:08:25
|
for example IPSec. Hey, once we get there,
|
|
0:08:29
|
then there is going to be also two different links to different standards documents like RFCs,
|
|
0:08:34
|
design guides, white papers, a lot of configuration examples,
|
|
0:08:38
|
this is what they use to call the tech tech tips,
|
|
0:08:42
|
which are a great place that they love to pull content from for the CCIE lab exam.
|
|
0:08:49
|
So these design guides and configuration examples,
|
|
0:08:52
|
these come from real world implementations,
|
|
0:08:55
|
that people are constantly submitting cases to track or their advance services,
|
|
0:08:59
|
often seen in the field enough so that they need to have someone to documentation write on that particular design
|
|
0:09:07
|
or that particular configuration,
|
|
0:09:10
|
now the only issue with this within the scope of CCIE is that you are not going to have access to these during the lab exam.
|
|
0:09:17
|
So its great for a normal preparation resource if you are just trying the learn a technology
|
|
0:09:22
|
but you don’t want to rely on the these configuration examples for the actual CCIE lab exam
|
|
0:09:30
|
lets go take a some of these lets go down to
|
|
0:09:33
|
technology, security
|
|
0:09:38
|
then lets take a look at IPSec and IKE
|
|
0:09:45
|
Now under here if go to, you will see the configuration guides
|
|
0:09:49
|
the examples and TechNotes. Hey this is what they used to call the tech TechTips,
|
|
0:09:54
|
then you also look at the design and the general technology information and the troubleshooting.
|
|
0:10:02
|
Now depending on the individual topics sometimes you see that there is
|
|
0:10:05
|
not many things linked to your
|
|
0:10:07
|
like this configuration guide, this talks about the general IPSec Configuration,
|
|
0:10:12
|
but here under the tech note where the tech tips
|
|
0:10:17
|
these are very specific configuration variations
|
|
0:10:21
|
that are related to individual platforms
|
|
0:10:25
|
so if you look at the drop down here
|
|
0:10:27
|
and lets say we want easyVPN
|
|
0:10:31
|
Hey, this would be for remote access VPN either on the IOS for ASA
|
|
0:10:36
|
or we are using the regular VPN client
|
|
0:10:39
|
so not the anyconnect SSL
|
|
0:10:42
|
so, here we have easyVPN in networking extention mode with spit tunnelling onto router
|
|
0:10:49
|
or the EasyVPN Remote Hardware client to PIX Easy VPN server.
|
|
0:10:56
|
And depending up the version we are talking about the text you may see that it relates to the ASA,
|
|
0:11:03
|
but if its anything 6.3 or earlier the syntax is going to be different.
|
|
0:11:08
|
So if we are to look at either of this,
|
|
0:11:12
|
both of this are very common configuration in a real world design
|
|
0:11:16
|
where the router is the VPN server
|
|
0:11:19
|
or the PIX and ASA is the VPN server,
|
|
0:11:22
|
so this is definitely something that you want to cover or you get to the CCIE lab exam.
|
|
0:11:28
|
So its kind of similar to how are volume 1 workbook is formatted,
|
|
0:11:33
|
that gives you an individual scenario.
|
|
0:11:35
|
It will show you the diagram of the design
|
|
0:11:38
|
and then whats the specific configuration that you need
|
|
0:11:42
|
usually they will highlight what are the particular command that are related just to this configuration
|
|
0:11:48
|
like the enable password command that’s really not related to the VPN that you need to add in there.
|
|
0:11:53
|
Then towards the bottom they will usually go through some different verifications
|
|
0:11:59
|
and then troubleshooting like this one related to understanding and using the debug commands,
|
|
0:12:05
|
they will also refer to the IP Security troubleshooting.
|
|
0:12:13
|
So this goes through some of the IOS show commands, IOS debug commands,
|
|
0:12:18
|
where again this step is great during your normal preparation
|
|
0:12:22
|
but don’t come and have an access to during the regular lab exam.
|
|
0:12:27
|
Now you will also see when you go under the
|
|
0:12:34
|
either the design guides or sometimes you wll see this links to different RFCs, to different whitepapers.
|
|
0:12:41
|
Usually anything that’s is this Frequently Asked Questions or the Q&A guides are really good.
|
|
0:12:48
|
Like here is one that DM VPN design guide,
|
|
0:12:54
|
that is, a focus more on the real design as opposed to just the configuration,
|
|
0:13:03
|
so whats the overall difference between the Hub-and-Spoke phase I and Phase II and the Phase III,
|
|
0:13:10
|
what are some of the enhancements,
|
|
0:13:11
|
what are the different ways that they recommend actually implement this.
|
|
0:13:20
|
Hey, this is the last one here Technology QA.
|
|
0:13:25
|
Anytime that you will see Frequently Asked Questions you definitely wanna make sure that you read through this,
|
|
0:13:31
|
Now some of the security ones are necessarily going to be as good as some of the other technologies
|
|
0:13:37
|
but lets say for example we are looking at just generic IP routing,
|
|
0:13:42
|
if we really go to technology then IP, IP routing, lets say OSPF for example
|
|
0:13:56
|
then the OSPF frequently asked questions.
|
|
0:14:04
|
So again just like those configuration guides,
|
|
0:14:07
|
these are common problems that people run into in the real world and submit cases to act
|
|
0:14:12
|
enough for them to add them to FAQ list or to do a individual writeup on that particular topic
|
|
0:14:18
|
So anything that is related to security you would try to look for these,
|
|
0:14:22
|
whether its ipsec or whether its firewall related or it may be IPS.
|
|
0:14:27
|
These are those quote unquote gotchas
|
|
0:14:29
|
that if you really don’t understand how the technology works
|
|
0:14:33
|
then you could think its some sort of tip or trick that you need to understand in order to get it working.
|
|
0:14:38
|
There is things like , why this OSPFs used ,
|
|
0:14:41
|
/32 hosts route when it advertise its lookback.
|
|
0:14:45
|
Hey, well the reason why is that the RFCs tests that there is this special network type loopback
|
|
0:14:50
|
or for looped backed interfaces that should be advertised as /32.
|
|
0:14:55
|
Or why is distributed filtering and OSPF is always kept different than the other routing protocols.
|
|
0:15:01
|
So if you didn’t understand the fundamental level.
|
|
0:15:04
|
How does the link state routing protocol to work different than the distance factor,
|
|
0:15:09
|
then you may have a hard time understanding why or why not is the distributed work for filtering.
|
|
0:15:16
|
So, again our case this mainly going to be focused towards security,
|
|
0:15:20
|
so you would wanna under the technology domain, things go under the security and VPN,
|
|
0:15:26
|
where this is going to apply to any networking technology
|
|
0:15:30
|
that cisco has featured support for, basically on any possible platform,
|
|
0:15:36
|
now the other portion that you will have access to during the lab exam
|
|
0:15:42
|
is the actual product documentation
|
|
0:15:45
|
and the product documentation is going to be broken down into a couple of different parts
|
|
0:15:49
|
depending on what particular platform and software versions that we are looking at,
|
|
0:15:55
|
now in general all of the platforms are going to have the configuration guides
|
|
0:16:00
|
which would apply to IOS, to the ASA, to the IPS
|
|
0:16:04
|
and to the ACS server, the configuration guides in general,
|
|
0:16:12
|
are going to give us the step by step list,
|
|
0:16:14
|
of what are the individual commands you need to implement,
|
|
0:16:17
|
in order to get this particular feature working,
|
|
0:16:21
|
now the configuration guides most of the time
|
|
0:16:25
|
is where you are going to get help as an overall configuration for the syntax,
|
|
0:16:31
|
so when we will get to VPN, we will look at some of the
|
|
0:16:34
|
configuration templates you are going to use for like the easy VPN server on IOS
|
|
0:16:40
|
versus easyVPN server on the ASA,
|
|
0:16:43
|
so you can use the configuration guide, look at there base config,
|
|
0:16:47
|
and then change it around to meet whatever your particular problem is you are trying to solve there,
|
|
0:16:54
|
the next portion , under the reference guides headings is going to be the command reference
|
|
0:17:01
|
which we should see atleast for the IOS and ASA,
|
|
0:17:06
|
we may see this for the IPS and I am not 100% sure off hand if
|
|
0:17:09
|
they do have a command reference there,
|
|
0:17:11
|
what this is going to show though, is the individual usage guidelines,
|
|
0:17:17
|
four piece of syntax, they are going to things that what are the default options for it,
|
|
0:17:22
|
like what are the default timers for the IPSEC security association lifetime,
|
|
0:17:28
|
and what are the different arguments that the command line takes,
|
|
0:17:31
|
and when would you like to use one versus the other,
|
|
0:17:34
|
so lets say for example we are trying to do
|
|
0:17:37
|
a port security configuration on the catalyst switches
|
|
0:17:40
|
and I want to know whats the difference between the violate mode or the restrict mode,
|
|
0:17:46
|
so if I were to go to the command reference
|
|
0:17:48
|
look at the switch port security violation command,
|
|
0:17:52
|
it will tell me that what are the different arguments and what exactly is the difference between the one versus the other
|
|
0:17:57
|
and when do you want to use it.
|
|
0:18:01
|
Now what are the issues we will see with the command reference versus the configuration guides
|
|
0:18:06
|
is that the command reference is generally used when you already know what you are going to accomplish
|
|
0:18:12
|
but you just need various specific syntax help in order to get there,
|
|
0:18:16
|
where the configuration guide is more going to give us a numbered or bulleted list
|
|
0:18:22
|
that’s says you need to do steps one, two, three, four in order to accomplish what you want.
|
|
0:18:27
|
But the command reference would be much harder to piece that together.
|
|
0:18:31
|
So we are going to be using both fo them during this classes we go through a lot of these technology examples.
|
|
0:18:38
|
The next one is going to be under the release and general information,
|
|
0:18:43
|
the master index,
|
|
0:18:45
|
and the release notes that are going to give us some new feature descriptions,
|
|
0:18:49
|
that would tell us whats the difference between 12.4.15T and 12.4.17T versions and 12.4.20T.
|
|
0:18:57
|
so exactly what was released,
|
|
0:19:00
|
as a new feature in those particular versions
|
|
0:19:03
|
that we would figure out is that significant to us within the scope of this security.
|
|
0:19:08
|
Now also we have the master index here,
|
|
0:19:11
|
which is going to be used for looking for either a configuration guide
|
|
0:19:15
|
or a command reference that we do not already know where its located.
|
|
0:19:21
|
So lets say, for example, I am trying to figure out whats the syntax for network address translation on the router,
|
|
0:19:27
|
now I know the commands start with sytax IPNet ,
|
|
0:19:32
|
but if I didn’t know where is this located under IP applications services,
|
|
0:19:36
|
IP address and services,
|
|
0:19:38
|
then I might waste a bunch of time, trying to figure out where exactly is this document located.
|
|
0:19:44
|
So what I could do, is go to Master Index,
|
|
0:19:50
|
find the it actually with IPNet command,
|
|
0:19:53
|
then that’s going to link me back to the command reference or to the configuration guide, that’s talking about that particular feature.
|
|
0:20:03
|
Now one key point about the documentation ,
|
|
0:20:06
|
is that within the scope of this CCIE lab exam,
|
|
0:20:09
|
the search function is disabled,
|
|
0:20:13
|
now you can actually use the search box ,
|
|
0:20:16
|
its going to come up with different results,
|
|
0:20:17
|
that you would normally see on the website, the problem is ,
|
|
0:20:19
|
a lot of the times when you click those,
|
|
0:20:23
|
its going to go outside the scope of the url you are authorized to visit,
|
|
0:20:28
|
so thing is like that the tech tips,
|
|
0:20:30
|
the frequently asked questioned, the design guides,
|
|
0:20:33
|
most of that stuff you are not going to access to.
|
|
0:20:36
|
So if you do use the search engine,
|
|
0:20:39
|
usually you are going to waste your time.
|
|
0:20:42
|
So you do definetly would want to know what are all the manual navigation paths,
|
|
0:20:47
|
for all of the topics that are within the scope of this exam.
|
|
0:20:51
|
Now, I am going through this individually to show,
|
|
0:20:55
|
where is the ILS documentation, where is ASA, where is IPS, where is the ACS server,
|
|
0:21:00
|
that as we get into the individual configurations,
|
|
0:21:04
|
I am going to be using the documentation for the lot of the examples,
|
|
0:21:07
|
because again there are certain topics that you do not need to memorise,
|
|
0:21:12
|
as long as you know what am I trying to do,
|
|
0:21:15
|
and whats the overall goal ,
|
|
0:21:17
|
you can generally use the documentation for a lot of the specific syntax help.
|
|
0:21:25
|
So first lets talk about the regular IOS documentation for the routers.
|
|
0:21:30
|
So we are going to start at that main page
|
|
0:21:33
|
which is the support and configure, which is this one here,
|
|
0:21:40
|
we are going to go down to products, IOS, Regular IOS, 12.4, and 12.4T.
|
|
0:21:55
|
So, again from that main page we are go to products
|
|
0:21:58
|
IOS, regular IOS, 12.4 and then 12.4T.
|
|
0:22:02
|
hey this is going to get us to the point where we can chose,
|
|
0:22:06
|
are we going to the configuration guide, the command reference, the Master Index or the Release Notes.
|
|
0:22:11
|
Where the configuration guides
|
|
0:22:15
|
again are going to show us for a particular topic,
|
|
0:22:18
|
exactlly what the step by step list of commands u need to enter
|
|
0:22:22
|
in order to accomplish this.
|
|
0:22:25
|
Now in our case here for the IOS configuration guides,
|
|
0:22:29
|
the vast majority of stuff that we are going to look at this week
|
|
0:22:32
|
is under Security and VPN,
|
|
0:22:35
|
where secure connectivity, this would be the IPSec related topics.
|
|
0:22:41
|
So LAN-to-LAN configuration both with the IKE for phase I negotiation
|
|
0:22:48
|
and IPSec for the Phase II negotiation.
|
|
0:22:55
|
Then other corner-case topics like the DMVPN, Gate VPN, EasyVPN Server
|
|
0:23:01
|
and client and the SSL VPN server
|
|
0:23:06
|
Hey, PKI is also listed here for the router as the PKI server and as the PKI client.
|
|
0:23:14
|
So when we are doing certificate authority we are going to look at both variations,
|
|
0:23:17
|
the router is the one who is actually isuing these cetificates
|
|
0:23:20
|
and then the router who is receiving a certificate from the server.
|
|
0:23:27
|
The next one is going to be the control Plane.
|
|
0:23:31
|
This will be stuff like the control plate policing,
|
|
0:23:35
|
so to protect the router CPU against a ICMP denial service attack.
|
|
0:23:39
|
Or someone trying to do a SSH or a telnet attack to try to do denial service on the CPU. Or router authentication, like for OSPF or EIGRP or BGP,
|
|
0:23:55
|
how do we secure the actual routing exchange.
|
|
0:23:58
|
So that no one can inject false routing information into the topology.
|
|
0:24:05
|
Securing the Data Plane,
|
|
0:24:08
|
this is going to be all of our access list filtering
|
|
0:24:11
|
that is either for standard and x standard lists
|
|
0:24:15
|
so stateless access filtering,
|
|
0:24:18
|
statefull accesses filtering, the reflexive list, content based access control
|
|
0:24:24
|
and the zone based policy firewall,
|
|
0:24:29
|
some of the other minor variation like the lock-and-key security for the dynamic ACLs, TCP intercepts to prevent denial service attacks,
|
|
0:24:39
|
then some other minor features here like Unicast reverse Path forwarding ,
|
|
0:24:45
|
Flexible Packet matching,
|
|
0:24:48
|
which would be if we want to quit some new application signature,
|
|
0:24:52
|
that we can match either in the zone –based policy firewall or the QoS,
|
|
0:24:56
|
that’s now already part of the match protocol statements that are in the router by default.
|
|
0:25:06
|
Here the last, we have the security user services,
|
|
0:25:09
|
this mainly going to be stuff that’s related to AAA.
|
|
0:25:14
|
So various syntaxes build for exact authentication,
|
|
0:25:20
|
exact authorization, so can I tell into the router
|
|
0:25:24
|
and if I do, what are the particular commands that I can issue,
|
|
0:25:28
|
or AAA accounting for attackers commands,
|
|
0:25:32
|
like whats the user actually doing once the telnet into the router,
|
|
0:25:36
|
and then other things like Role-based CLI,
|
|
0:25:41
|
we will see that used for doing local exact command authorization.
|
|
0:25:49
|
Then basic things like passwords and privileges,
|
|
0:25:54
|
login enhancements, Resilient configuration, that type of stuff.
|
|
0:25:57
|
There is a lot of minor IOS features here that are going to be located under the Securing the User Services.
|
|
0:26:08
|
Hey, again the other variation here for you not to go to the configuration guide
|
|
0:26:13
|
will be the command references.
|
|
0:26:16
|
So this is under reference guides, then command references.
|
|
0:26:22
|
So, again you could see it’s the same topic domains here
|
|
0:26:25
|
but now instead of showing us how do you accomplish this configuration,
|
|
0:26:29
|
its just going to be the individual syntax.
|
|
0:26:32
|
So, lets say I want to know ,
|
|
0:26:34
|
what is the crypto IPSec Syntax.
|
|
0:26:42
|
Lets say for the transform set.
|
|
0:26:46
|
So cryto ipsec transform set, its going to show us
|
|
0:26:59
|
what are the different arguments
|
|
0:27:02
|
and then what are the particular usages.
|
|
0:27:05
|
It will also show you based on the individual release,
|
|
0:27:09
|
when was the feature implemented.
|
|
0:27:12
|
You can see it says 15.1.(2)T the esp-gcm and the esp-gmac transforms were added.
|
|
0:27:22
|
Now we are going to assume the lab exam is going to use the 12.4T
|
|
0:27:27
|
and not any of the Universal 15 images
|
|
0:27:29
|
that we wouldn’t be testing on this.
|
|
0:27:31
|
So the new variations of ESPs are not going to be available to us.
|
|
0:27:36
|
If you then read through the usage guidelines,
|
|
0:27:39
|
its going to tell you some general information about why would we want to use this particular configuration variation.
|
|
0:27:46
|
Lets go back to the main webpage again.
|
|
0:27:49
|
So again we go to products, IOS, regular IOS 12.4, 12.T.
|
|
0:27:58
|
Now instead of going to either the configuration guide or the command references
|
|
0:28:03
|
I wanna see the release notes and the master index.
|
|
0:28:07
|
Both are these are going to be under release and general information.
|
|
0:28:12
|
Where we have the master index not only for commands,
|
|
0:28:17
|
but some of this make sure that the master index for configuration,
|
|
0:28:20
|
it depends on the individual versions you are looking at.
|
|
0:28:23
|
But if we look at the master index, commands for 12.4t,
|
|
0:28:27
|
you can see basically its every command that is officially supported.
|
|
0:28:32
|
So if I here want to see, lets search for the crypto,
|
|
0:28:39
|
so not only the configuration command but all the clear commands, all the show commands, all the debug commands,
|
|
0:28:45
|
you can see this, this is going to be all the crypto commands.
|
|
0:28:48
|
So if I wanted to look at what is, lets see the isakmp policy.
|
|
0:28:56
|
So there is two ways I can go, I can go IPv6 ,
|
|
0:29:00
|
page 182 or security page 565
|
|
0:29:05
|
I will say I was the first one there to relate to IPv6 security,
|
|
0:29:10
|
the second one should be the normal IPv4 security.
|
|
0:29:15
|
So now in this case I don’t necessarily need to know
|
|
0:29:19
|
the descript of isakmp command
|
|
0:29:22
|
was located under the IOS Security command Reference,
|
|
0:29:27
|
if for some reason, I didn’t know what topic domain it was under,
|
|
0:29:30
|
master index I can use to work backwards to get there.
|
|
0:29:35
|
Then lastly under the release notes,
|
|
0:29:38
|
the new feature descriptions.
|
|
0:29:42
|
Now this document you would want to use towards to end of your preparation,
|
|
0:29:47
|
just to make sure that there is not any new feature,
|
|
0:29:51
|
that is relevant to us, that you have left out of your preparation.
|
|
0:29:56
|
So lot of this you will see is not relevant security,
|
|
0:30:00
|
like in 12.4(24)T it says, we now have support for HWIC-1FE and HWIC-2FE.
|
|
0:30:07
|
Physical type stuff like this, we don’t really care about.
|
|
0:30:10
|
But I may want to know, whats IKE-responder-Only Mode
|
|
0:30:17
|
or what is the IOS firewall Support for TRP,
|
|
0:30:24
|
so new protocol they are adding there,
|
|
0:30:28
|
so if you click on those its going to show you
|
|
0:30:31
|
what is the specific document that you will need to go to for this,
|
|
0:30:35
|
where usually when they initially implement a new feature,
|
|
0:30:40
|
there going go for a separate write-up on it.
|
|
0:30:42
|
Hey, which is this one, which is going to eventually lead us to
|
|
0:30:46
|
this specific document IKE-responder only mode.
|
|
0:30:51
|
So from here would want to know
|
|
0:30:54
|
basically whats the general information about this.
|
|
0:30:57
|
Its this information about this,
|
|
0:31:00
|
since the advent of VPN features that allow simultaneously bidirectional IKE negotiations
|
|
0:31:05
|
(with or without interesting traffic),
|
|
0:31:08
|
issues with the handling and recovery of data from duplicate SAs have occurred.
|
|
0:31:12
|
IKE as a protocol has no ability to compare IKE negotiations
|
|
0:31:16
|
to determine whether there is a already an existing or in-process negotiations between two peers taking place.
|
|
0:31:24
|
These duplicate negotiations can be costly in terms of resources and confusing to router administrators.
|
|
0:31:29
|
Hey, basically what this means is atleast we have two end points
|
|
0:31:35
|
of a VPN tunnel. If both of end points initiate at the same time,
|
|
0:31:39
|
they go through separate phase I negotiations
|
|
0:31:43
|
and that’s not really what we want,
|
|
0:31:45
|
here we want only one negotiations, we want someone to initiate and someone to respond.
|
|
0:31:50
|
That’s basically whats this feature is doing.
|
|
0:31:52
|
Its saying that, when responder-only mode is on,
|
|
0:31:56
|
the device is not going to initiate IKE main mode, aggressive or quick modes,
|
|
0:32:02
|
nor will it rekey IKE or IPSec SAs thus the likelihood of duplicate SAs is reduced.
|
|
0:32:08
|
It basically means, that it’s the other side’s job
|
|
0:32:11
|
to start the tunnel and it’s the other side’s job to rekey so to rerun the diffy-halman exchange
|
|
0:32:18
|
for either phase I isakmp or phase II IPSec.
|
|
0:32:24
|
Now, once we just read through this couple of short paragraphs.
|
|
0:32:28
|
We know that the features there,
|
|
0:32:31
|
and we know what it does,
|
|
0:32:32
|
I don’t need to memorize the syntax for it,
|
|
0:32:33
|
I probably don’t need to try it out.
|
|
0:32:35
|
Because if we look down, what the configuration is,
|
|
0:32:38
|
just one command, under crypto IPSec Command we see responder-only. Now the problem with this though is that if we do not know that the feature was there to begin with,
|
|
0:32:50
|
its going to make it that much more difficult when the question is being asked
|
|
0:32:54
|
to figure out what are the we even talking about to start.
|
|
0:32:58
|
And this is one of the big things that you want to prevent
|
|
0:33:02
|
before you get to the CCIE lab exam,
|
|
0:33:05
|
if they ask you a that you have no idea with what they are talking about,
|
|
0:33:09
|
its very unlikely that you are going to find any information using in the documentation.
|
|
0:33:14
|
So ideally we need to know what are the possible features,
|
|
0:33:18
|
but not necessarily what are details of the implementation, or the details of the syntax,
|
|
0:33:23
|
I can always go back to the documentation to figure out how do I actually get it to work,
|
|
0:33:28
|
but the documentation is not going to tell me that it was there to begin with,
|
|
0:33:33
|
where technically it is I am not going to have much time to do it in the exam.
|
|
0:33:39
|
So don’t worry about relying on the documentation for a lot of the syntax help,
|
|
0:33:45
|
the key is that when you are using it in the actual lab exam
|
|
0:33:48
|
you need to get into the documentation and get out of the documentation as quickly as possible.
|
|
0:33:53
|
So, if you don’t know the manual navigation paths,
|
|
0:33:57
|
you don’t know the difference of how do get to the command reference versus the configuration guide,
|
|
0:34:02
|
the master index, that’s something that definitely going to cost you
|
|
0:34:06
|
a too large amount of time,
|
|
0:34:08
|
in order to actually be successful the actual day of the exam.
|
|
0:34:17
|
The next navigation path we have is going to be for the catalyst IOS,
|
|
0:34:22
|
so specifically for the 3560s
|
|
0:34:25
|
and a release that is at least 12.2(44),
|
|
0:34:30
|
so from that same main page we are going to the configuration.
|
|
0:34:34
|
Select your product or technology,
|
|
0:34:37
|
we will go to the products, to switches LAN switches for access then to the 3560.
|
|
0:34:46
|
Once we get here the navigation gets similar to the IOS,
|
|
0:34:50
|
we will be having configuration guides and the command references.
|
|
0:34:53
|
I don’t believe the newer release of catalyst IOS has a master Index.
|
|
0:34:57
|
You just have a configuration guide and a command reference.
|
|
0:35:01
|
So again from the main page want products,
|
|
0:35:07
|
switches, LAN access switches 3560,
|
|
0:35:13
|
Configuration Guides or reference guides and command references
|
|
0:35:21
|
then onto the, whatever the latest releases here.
|
|
0:35:25
|
Now in the actual exam you probably want to choose the exact release that you are using
|
|
0:35:31
|
because there are some major syntax changes between the different versions.
|
|
0:35:37
|
Hey, one thing we will look at later when we get to identity management
|
|
0:35:41
|
is A.2.1 authentication and authorization with catalyst switches,
|
|
0:35:47
|
now depending what particular IOS release you are looking at,
|
|
0:35:51
|
there is major difference in syntax changes.
|
|
0:35:54
|
So would wanna know what is the exact release I am trying to get to.
|
|
0:35:59
|
From here in the switches,
|
|
0:36:01
|
most of the stuff is going to be related to basically to two topics
|
|
0:36:05
|
like VLANs, VTP, Voice VLANs
|
|
0:36:09
|
this type of stuff, hopefully you should not need to refer to document from .
|
|
0:36:14
|
What we are mainly looking at here is the security related topics.
|
|
0:36:19
|
So this would be the 802.1x Authentication,
|
|
0:36:23
|
the private VLANs, then if we look at the
|
|
0:36:34
|
DHCP features, IP Source Card and Dynamic ARP Inspection,
|
|
0:36:40
|
Port base traffic control and network security with ACLs ,
|
|
0:36:45
|
where network security with the ACLs is going to be normal layer 3 Access lists
|
|
0:36:50
|
but then also, a MAC access list
|
|
0:36:54
|
for any type of ether type filter
|
|
0:36:56
|
and also the VLAN access maps for the VLAN ACLs
|
|
0:37:01
|
then we are going to apply a layer 3 filter onto the entire Layer 2 VLAN at the same time
|
|
0:37:08
|
So these features are related to security,
|
|
0:37:11
|
we will talk about then in separate section later towards the end of the class
|
|
0:37:15
|
but again you do need to know where this is located in the documentation.
|
|
0:37:19
|
Just in case you need the reference the actual day of the exam.
|
|
0:37:26
|
Hey the next one would be for the ASA
|
|
0:37:29
|
we start with the configure page go to products
|
|
0:37:32
|
security firewall, firewall appliances ASA and then finally to our relates.
|
|
0:37:39
|
in this case its going to be 8.0
|
|
0:37:42
|
then we have the configuration guides command references .
|
|
0:37:48
|
now the structure is going to be similar to the IOS or the catalyst documentation
|
|
0:37:57
|
again if we started products ,security, firewall, firewall appliances,
|
|
0:38:06
|
ASA 5500 configuration guides and the other release 8.0 in this case .
|
|
0:38:13
|
One particular document i want to mention
|
|
0:38:17
|
and we are going to come back to this in detail
|
|
0:38:19
|
as we are going to the ASA
|
|
0:38:21
|
If we go down to the reference section there is a document here
|
|
0:38:26
|
that is addresses protocols and ports
|
|
0:38:33
|
That is a good general reference
|
|
0:38:36
|
for things like the IP protocol numbers
|
|
0:38:41
|
so for example what is the difference between ESP and authentication header.
|
|
0:38:51
|
Where authentication header is protocol number 51 ,
|
|
0:38:54
|
ESP encapsulated security payload is protocol number 50 .
|
|
0:38:59
|
Generic routing encapsulation is 47
|
|
0:39:04
|
EIGRP is 88 where OSPF would be 89 .
|
|
0:39:07
|
They say this step you do not necessarily need to memorize it
|
|
0:39:11
|
as long as you should know where you can reference it.
|
|
0:39:13
|
The reason I mainly need to know this is for an access list
|
|
0:39:17
|
May be am trying to make some exception for
|
|
0:39:20
|
a VPN tunnel going through zone based policy firewall
|
|
0:39:24
|
or an EIGRP update going through the transparent firewalls on the ASAs.
|
|
0:39:33
|
You will also see a list of common port numbers
|
|
0:39:36
|
for example we see here the Boot P Client and a Boot P server
|
|
0:39:42
|
which would be useful for a DHCP Client
|
|
0:39:46
|
sending DHCP requests then the DHCP SERVER sending the DHCP offer .
|
|
0:39:52
|
So may be we are doing to DHCP snooping security or filtering
|
|
0:39:57
|
I would need to know that the UDP PORT 67 and 68
|
|
0:40:02
|
whats actually used for the DHCP communication.
|
|
0:40:06
|
So, again this is under ASA configuration guide
|
|
0:40:10
|
down to reference and then protocols and ports,
|
|
0:40:16
|
next one we have this intrusion prevention system, the IPS sensor,
|
|
0:40:21
|
we are going to go to products, again security,
|
|
0:40:25
|
IPS, IPS appliance, 4200 and then finally to our release.
|
|
0:40:32
|
Now from here from the IPS
|
|
0:40:35
|
there is two separate portions of the documentation we want,
|
|
0:40:38
|
we want the configuration guide,
|
|
0:40:40
|
but we want for both the IDM which is the web interface, the IPS device manager
|
|
0:40:47
|
and for the command line interface.
|
|
0:40:51
|
So the IDM is going to show us how do we navigate around the web interface
|
|
0:40:55
|
CLI version is going to show us how de we do that from the console
|
|
0:40:59
|
or how do we do it from the telnet or SSH.
|
|
0:41:03
|
So again from the main documentation page we would go to products,
|
|
0:41:08
|
security, IPS appliances, 4200, configuration guides,
|
|
0:41:20
|
then separately the IDM, which in our case is not going to be 6.1,
|
|
0:41:25
|
there is also the IPS manager express
|
|
0:41:30
|
and then, also the command line.
|
|
0:41:36
|
One thing you may want to know from here is under the signature definitions
|
|
0:41:42
|
there should be somewhere in the document a list of some common signature names ,
|
|
0:41:56
|
which is here you can see like, this one is talking about
|
|
0:42:02
|
for web inspection, so here it says,
|
|
0:42:06
|
12680 is the method get
|
|
0:42:10
|
where 12683 is the method post
|
|
0:42:14
|
wherethis first one would be trying to download a web page.
|
|
0:42:18
|
So I go to cisco.com, I am going to issue get for index.html
|
|
0:42:23
|
for http post, this would be if I was trying to upload a file from a web interface,
|
|
0:42:32
|
so we will see when we get into the advanced application level inspections,
|
|
0:42:37
|
of the ILS firewall, of the ASA firewall and the IPS sensor,
|
|
0:42:42
|
how can we look into the actual pay load of the packet
|
|
0:42:45
|
to figure out what is the user trying to do
|
|
0:42:48
|
and then either permit or deny access
|
|
0:42:50
|
and generate a log message, or do some sort of other action that we can define.
|
|
0:42:55
|
But unless we know what these signature numbers were,
|
|
0:43:00
|
this very very difficult to figure this out from the command line,
|
|
0:43:03
|
now the web interface will see pretty straight forward because we can just click around until we finally get to that individual page,
|
|
0:43:11
|
but it there is something wrong with the interface,
|
|
0:43:13
|
you going to need to know what and these particular numbers
|
|
0:43:16
|
to reference then from the command line.
|
|
0:43:20
|
Then lastly we have the ACS server
|
|
0:43:24
|
which is going to be something for TACACS and Radius protocols.
|
|
0:43:29
|
Now this documentation is going to be formatted little bit differently then the other ones we saw so far,
|
|
0:43:34
|
but we are going to start from the same navigation path.
|
|
0:43:38
|
We are going from the products,
|
|
0:43:41
|
then to security, identity management, cisco ACS for windows,
|
|
0:43:48
|
the configuration guides, for 4.1
|
|
0:43:54
|
but then also under Maintain and operate
|
|
0:43:57
|
we want the end user guide.
|
|
0:44:00
|
And there is different topics that is documented differently between this two.
|
|
0:44:05
|
So we have sarted the main page,
|
|
0:44:12
|
to products, security, identity management, ACS for windows.
|
|
0:44:22
|
I want the configuration guides,
|
|
0:44:45
|
so I want the configuration guides,
|
|
0:44:48
|
but then also under maintain and operate I want the end user guide.
|
|
0:44:54
|
Then configuration guide we have vesions 4.0
|
|
0:44:57
|
and the same for the end user guide,
|
|
0:45:01
|
Now if you look at the configuration one
|
|
0:45:04
|
there are things in here like we have got a condition control,
|
|
0:45:09
|
it would give you a step-by-step list of what you need to configure to get the
|
|
0:45:13
|
NAT feature working,
|
|
0:45:15
|
but most of the stuff that we would want to know
|
|
0:45:19
|
is from the administrators point of view which is the end user,
|
|
0:45:22
|
how do you actually use the ACS server.
|
|
0:45:24
|
So under user guides, this would be like how do we do,
|
|
0:45:30
|
different group mappings,
|
|
0:45:33
|
so like if I wanted to configure a command authorization set that applies to the group
|
|
0:45:38
|
that one the users placed in that group, they are going to inherit that
|
|
0:45:42
|
and what we would also want to know here is that TACACs AV pairs and the Radius AV pairs
|
|
0:45:52
|
or the Radius attributes if we look have under radius,
|
|
0:45:55
|
we are going to come back to some detail when we get back to AAA,
|
|
0:45:59
|
there is a bunch of things that you don’t need to memorize as long as you know where is it documented here,
|
|
0:46:06
|
here, good example would be this one here it’s say .
|
|
0:46:17
|
the following is an example of two AV pairs included in a single IOS fixing a single AV pairs attribute.
|
|
0:46:26
|
So its shell :priv-lvl=15
|
|
0:46:33
|
Now does anybody know specifically what does a attribute does.
|
|
0:46:39
|
Under the Cisco AV pair, this is how we would do exact authorization
|
|
0:46:44
|
through Radius IOS exact authorization.
|
|
0:46:48
|
So basically what we could do with this
|
|
0:46:51
|
is configure use around the Radius server,
|
|
0:46:54
|
when they telnet or SSH into the router,
|
|
0:46:57
|
the router will then ask the ACS server,
|
|
0:47:00
|
have they authenticated, so do they have right username and password,
|
|
0:47:03
|
and then whats the privilege number that they should be assigned.
|
|
0:47:06
|
Well, in this case its saying priv-lvl=15,
|
|
0:47:11
|
that’s giving a privilege of 15 that is basically full enable access.
|
|
0:47:17
|
Then we will see that there are separate ways that we would have to do,
|
|
0:47:20
|
things like the enable password authorization through the radius versus TACACS
|
|
0:47:25
|
and lot of this is not going to be straight forward.
|
|
0:47:28
|
Radius and TACACS in general are really not that greatly documented.
|
|
0:47:34
|
So we are going to go through a lot different examples of this or
|
|
0:47:37
|
see how you can use the debugs and the show outputs
|
|
0:47:40
|
to kind of point us in the right direction to see
|
|
0:47:42
|
how do I do this specific configuration with TACACs variations
|
|
0:47:46
|
and then also with radius variations.
|
|
0:47:50
|
Hey also if we continue to look into this document,
|
|
0:47:54
|
another one, that would be located here, would be
|
|
0:48:02
|
the 802.1x Radius attributes.
|
|
0:48:06
|
Says the Tunnel-Type , Tunnel-Medium-Type and Tunnel-Private-Group-Id.
|
|
0:48:12
|
Does anybody know that why we will want to use these three four.
|
|
0:48:18
|
So these are Radius attributes but these are Radius IETF attributes not
|
|
0:48:22
|
part of the cisco AV Pair.
|
|
0:48:25
|
This would be if I would trying to do .1x authentication,
|
|
0:48:30
|
but then when the user authenticates I want to assign them to a particular VLAN.
|
|
0:48:35
|
So its basically Dynamic VLAN assignments based on the authentication of the user. Where the Tunnel Private Group Id.
|
|
0:48:41
|
This is the actual VLAN name or the VLAN number
|
|
0:48:46
|
that the user would be assigned to.
|
|
0:48:49
|
So we will look at more details of these examples when we will actually get to ACS
|
|
0:48:54
|
but again the key is that you must already know
|
|
0:48:56
|
of the top of your head that these are attributes numbers 64, 65 and 81,
|
|
0:49:00
|
then its going to be hard to solve without the documentation to help
|
