According to my friends at INE by May 10th you don’t have to answer any OEQ anymore! Great!

Reasons?

• 4 Questions will not assess what you really know
• Cisco 360° candidates had not to pass OEQ – this was unfair
• It was just not usable

The 30 minutes will be reallocated to the configuration section.

It might, that previous attempts that failed OEQ section solely will be re-graded.

What comes next? No OEQ for SP and security? Troubleshooting for SP?

Let’s be surprised.

I’m still waiting for the offical annoucement on cisco.com …

[Update:]

Now official on the cisco learning network:

With more than six months of exam results now available,
Cisco is able to report that the troubleshooting components
of the CCIE R&S v4.0 and CCIE Voice v3.0 lab exams are
performing well in validating expert level networking skills. 
Considering these results, Cisco has decided to eliminate
the Core Knowledge questions from the current CCIE R&S v4.0
and CCIE Voice v3.0 Lab Exams. 
Beginning on May 10, 2010, CCIE R&S and CCIE Voice Lab Exams,
in all global locations, will no longer include the four
open-ended Core Knowledge questions.  The total lab time will
remain eight hours.  For the CCIE R&S Lab Exam, this means
candidates will begin with the two-hour Troubleshooting section,
followed by a six-hour Configuration section. 
For CCIE Voice, candidates will have the full eight hours to
complete the integrated exam.  At this time, only the R&S and
Voice tracks will be eliminating the Core Knowledge questions.

1. Download the version with Python included
2. Once installed, use the old dynamips from 0.5 (or at least the last working one for you)
   Click on your old (working) GNS3 -> show package contents -> Contents/Resources and copy the dynamips-0.2.8-RC2-OSX-Leopard.intel.bin to the corresponding folder in your new GNS3 package.

Now start GNS3 and see if everything is working. It is, at least for me.

According to their news several stuff has been fixed – like:

    * Qemuwrapper (option to listen on a IP/host and port).
    * Basic support for external hypervisors.
    * Some improvement for projects under GNS3 (still work to do).
    * Many small bugs fixes (graphical, cloud connection etc.)

The Dynamips exceutable in the 0.7 version for Mac was unfortunately broken (solution: Take dynamips executable from the previous 0.5 version). I wasn’t able (yet) to verify if it’s workin in this release.

But the bad information is: 0.7.1 is not running on Mac OS X right now…

GNS3 0.7.1 Crash

Highlights from the release notes:

VPN Client 5.0.07 supports the following Microsoft OSs:
- Windows 7 on x64 (64-bit)
- Windows 7 on x86 (32-bit) only
- Windows Vista on both x86 (32-bit) and  x64
- Windows XP on x86

To avoid problems with the TCP/IP Registry Compatibility service and the VPN Virtual Adaptor, it’s recommended that Windows Vista users install Vista SP2 or later.

Before you install the VPN client, please check wether some of the problems are fixed for you, or if the known problems will affect you.

• Support & debugging on Windows 7.
• Qemuwrapper improvements & Windows compatibility.
• Integration of Cisco IDS/IPS, including a new symbol.
• Qemu 0.11.0 patched and Putty have been added in the Windows all-in-one package.
• An option to show the z coordinate of any object on the scene (View -> Show layers).
• Interface labels follow their moving parent nodes.
• Modified interface labels are saved in .net files.
• Option to slow start nodes (wait x seconds between each start).
• Links connected to Qemu based nodes are now removable (nodes have to be shutdown to do so).
• Possibility to set an hypervisor for Ethernet switches, ATM switches, ATM bridges and Frame Relay switches.
• New symbols for voice labs (Call manager, SIP server, IP phone, voice router, voice access server and PBX).
• New dialog window to browse and change a router startup-config.
• Undo/redo of actions is now supported.
• Qemu & qemu-img paths are saved in .net files if needed.
• Slight improvements for the snapshot system, including a new dialog window to manage it.
• Wics description in tooptips.
• Wics restoration from .net files.
• Support of relative paths in .net files (if the base path is the same as the .net file).
• Test button to validate you can launch Qemuwrapper, Qemu and qemu-img.
• New translation in Czech (thanks to Ondrej Filip).
• Lot of various small bug fixes and improvements.
• “versions” command to display Qt, PyQt and SIP versions

This version has been tested on the following OS:

• Windows 7 Professional x86 (Qt 4.5.3, PyQt 4.6.2, SIP 4.9.3)
• Windows XP SP3 x86 (Qt 4.5.3, PyQt 4.6.2, SIP 4.9.3)
• Ubuntu 9.10 (Qt 4.5.2, PyQt 4.6.1, SIP 4.9.1)
• Mac OS X Snow Leopard (Qt 4.5.3, PyQt 4.6.2, SIP 4.9.3)

So, now I have to test it – I somehow miss the Mac OS X version to download…

vpnclient-winx64-msi-5.0.07.0240-k9.exe - Vista, Windows 7 - 64bit only.

I think important to know:

The new client beta requires a kernel patch, KB952876, from Microsoft before
installing first installing the actual client.  It is also suggested that
Service Pack 2 for Vista be installed.

REF: http://support.microsoft.com/kb/952876/en-us

VPN Client takes longer to connect on Vista compared to XP. This is due to
new features in Vista.

The Cisco VPN Client for Windows Vista and Windows 7 does NOT support
the following:
* System upgraded from Windows XP to Vista or Windows 7
  (clean OS installation required).
* Start Before Logon
* Integrated Firewall - See workaround below.
* InstallShield
* 64bit support
* AutoUpdate
* Translated Online Help - Provided only in English

If you are experiencing a BlueScreen on XP related to the VPN client built-in
Firewall client, please follow the workaround below.(check out release notes).

Check out the release notes for any details.

• Service Provider
• Storage
• Wireless

I see, life is getting hard also there…

Effective January 4, 2010, the Cisco CCIE® Service Provider, Storage, and Wireless lab
exams will add a new type of question format in a section called Core Knowledge. In
this new section, candidates will be asked a series of four open-ended questions
that require a short written response to be entered into the computer, typically
several words. The questions will be randomly drawn from a pool of questions
on topics eligible for testing. Candidates can review the topics by visiting the
CCIE track information on Cisco.com or the Cisco Learning Network. No new
topics are being added as a result of this change.

Candidates will have up to 30 minutes to complete the Core Knowledge section
and may not return to it once they have moved on. A passing score on the Core
Knowledge section is required to achieve certification. Core Knowledge questions
were implemented on Routing and Switching labs in February 2009 and Security labs
in June 2009, and allow Cisco to maintain strong exam security and ensure that
only qualified candidates are awarded CCIE certification. Candidates with exam dates
on January 4, 2010 or later should expect to see the new question format on their lab
exam.
[More Information]

Taking the opportunity I’m going to visit several tracks. Maybe I see some of you there ,-)

• Routing and Switching
• Voice
• Security
• Wireless

Take a Learning@Cisco Self-Assessment and you'll learn what you already know
as well as receive recommended training and guidance for you to take the next
steps on your learning path. Learning@Cisco Self-Assessments are available for
Routing and Switching, Voice, Security and Wireless.

I’ve tried the assessment test and I think the questions are partially easier than I’ve had on my written exam and some are … well… ,-)

If you finished the test you will get directed to the ‘Guidance‘ page where you get further material for your studies.

But anyway, here’s the link for the assessment test – try it yourself.

I’ve added some tutorials and topologies in my download area.

If you have any questions just don’t hesitate to ask me.

The idea is quite simple: Once a customer is virus infected or doing something nasty put him into a sandbox using some firewall forwading (IPFW) and squid magic. I’ve created such a sandbox about 3 years ago – but I have new ideas and some updates I want to bring in. I will probably show how the whole system works in a later post.

But before going live with the new sandbox I just wanted to test the basics and make sure i have some proof of concept that everything is working as planned.
So I took one of my PCengines Alix board (alix2d3) and decided to install FreeBSD 7.2 on it.

Sounds easier as it is but here are the steps what I did:

Installing FreeBSD to have a PXEboot Environment using a serial console

Actually, installing FreeBSD over the network is quite simple and consists of following tasks:

1. configure a DHCP server
2. configure a TFTP server
3. configure a NFS server
4. prepare the data for the installation
5. modify some stuff on the nfs host
6. boot the alix box and install everything needed
7. reboot alix box and enjoy

So, but some stuff is really tricky…

Using a Virtual Machine as Host

To not fuck up any hardware installation on my side I decided to use my macbook pro and parallels to start a virtual-machine for the FreeBSD host. Just create a new virtual machine and do some basic FreeBSD installation – dont forget the ports collection and all sources -  and also install ‘rsync’ (out of the ports).

Make sure you have connectivity to the internet (put the network adapter into bridged ethernet mode) to download sources from the internet.

By the way: You can download an already prepared VM from parallels with FreeBSD 7.1. It will not work to get over step 5. Just as an info…

Step 1: Configure a DHCP Server

Just install the ISC DHCP Server

 # cd /usr/ports/net/isc-dhcp30-server
 # make install

Since I just need a basic DHCP server I disabled all options. Once the DHCP server is installed you need to change the configuration (/usr/local/etc/dhcpd.conf). Mine looks like:

option domain-name "mrmouse.ch";
option domain-name-servers 193.239.21.21, 193.239.21.20;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style ad-hoc;
log-facility local7;

subnet 192.168.1.0 netmask 255.255.255.0 {
}

host newbox.mrmouse.ch {
      hardware ethernet 00:0d:b9:17:2d:ac;
      fixed-address 192.168.1.100;
      next-server 192.168.1.1;
      filename "freebsd7/boot/pxeboot";
      option root-path "/usr/local/freebsd7";
}

Note: 192.168.1.1 is the IP address of my FreeBSD host running the DHCP/TFTP/NFS server. the ‘filename’ and root-path will become obvious when configuring the data for tftp and nfs.

Before being able to start the DHCP server you have to activate it in the /etc/rc.conf.
Just add dhcpd_enable=”YES” to the configuration file.

Now you may start the dhcp server:

# /usr/local/etc/rc.d/isc-dhcpd start

Step 2: Configure a TFTP Server

It’s great that FreeBSD has already a TFTP server built in. Just activate it in the /etc/inetd.conf file and change the path to /usr/local:

 tftp    dgram   udp     wait    root    /usr/libexec/tftpd      tftpd -l -s /usr/local

Hopefully you’ve already allowed inetd to be started (/etc/rc.conf -> inetd_enable=”YES”)

Now restart inetd:

# /etc/rc.d/inetd restart

Step 3: Configure a NFS Server

Add following lines to /etc/rc.conf:

 rpcbind_enable="yes"
 mountd_enable="yes"
 nfs_server_enable="yes"

Now we have to export the directoy. Edit (or create if not existing) /etc/exports and add:

 /usr/local/freebsd7     -network 192.168.1 -mask 255.255.255.0

Since this directory is not yet existing – lets create it:

 # mkdir /usr/local/freebsd7
 # chmod 755 /usr/local/freebsd7

Now we’re ready to start the NFS services:

 # /etc/rc.d/rpcbind start
 # /etc/rc.d/mountd start
 # /etc/rc.d/nfsd start

Verification can be done by typing

 # showmount -e
 Exports list on localhost:
 /usr/local/freebsd7                192.168.1.0

Step 4: Prepare the Data for the Installation

Mount the ISO file you’ve downloaded and used to setup your virtual machine within your VM and copy all files to your newly created directories:

 # rsync -avH /cdrom/ /usr/local/freebsd7/
 # cp -pR /cdrom/* /usr/local/freebsd7

Step 5: Modify some stuff

The most important thing now is that we increase the speed of the serial console for the installation. The default speed of the serial console is 9600bps. Setting some variables will not not change it.
Within your VM change the pxeboot to set the higher speed:

 # cd /sys/boot
 # make clean
 # make BOOT_COMCONSOLE_SPEED=115200

Note: Dont dare to make a ‘make install’! We don’t want to modify the bootstrap of the VM.

After we’ve done this we my copy the new pxeboot for our tftp client and clean up the mess:

 # cd /sys/boot/i386/pxeldr
 # cp pxeboot /usr/local/freebsd7/boot
 # cd /sys/boot
 # make clean

After this step we need to configure the new loader.conf.
Update /usr/local/freebsd7/boot/loader.conf and just add those 3 lines to it – leave the rest untouched:

 comconsole_speed="115200"
 console="comconsole"
 vfs.root.mountfrom="ufs:/dev/md0c"

It seems that there’s some bug for the mfs_root in FreeBSD when loading a compressed file during boot. Workaround is to not use a compressed file, therefore:

 # cd /usr/local/freebsd7/boot
 # gzip -d mfsroot.gz

Step 6: Boot your alix board and install FreeBSD

Attach your alix board to your host and boot it. It might be that you need to activate PXE boot in the BIOS (press ‘s’ during memory check).
Change your console speed to 115200bps.

During startup you see the client MAC address. Remember it and modify the “hardware ethernet”-line in the /usr/local/etc/dhcpd.conf and restart the DHCP server.

If everything is going fine you should see the ‘Welcome to FreeBSD’ banner and get sysinstall ready to install your small box.

During installation watch out:

• I used “FreeBSD system console (monochrome)” for installation. Was the best ,-)
• use the “Standard” Boot loader – not the FreeBSD BootMgr
• add a user (or you will not be able to ssh to the box)
• set a root Password. Mine is “123″ … (just a joke ,-))
• enable ssh
• enable TTY for serial console (motify /etc/tty so you get:

  ttyd0   "/usr/libexec/getty std.9600"   vt100 on secure)

• disable all other TTYs (ttyv0 – 8 -> put ‘off’)

Note: For FreeBSD 8.x ttyd0 has to be replaced by ttyu0.

Step 7: Finish installation and reboot

Once everything is finished you can reboot the box (actually after installation the box will reboot). Just take out the LAN cable otherwise you start another installation.
Don’t forget to set back your terminal to 9600bps. If you want to change this you have to rebuild the boot block.
And now: Have fun now and do whatever your want with the alix box.

Cisco has revised the certification requirements for CCIE Routing & Switching
(CCIE R&S)-the expert level certification for network engineers.

The new certification standards reflect the job skills employers look for
at the expert level and are outlined on the Cisco Learning Network at
CCIE R&S v4.0 written exam topics and CCIE R&S v4.0 lab exam topics.
The revised CCIE R&S v4.0 exams are scheduled for release on October 18, 2009
and will immediately replace the currently available v3.0 exams. 

To support the certification changes, the Cisco 360 Learning Program for
CCIE R&S is being updated with new lessons on MPLS and Troubleshooting,
additions to the instructor-led workshops, new lab exercises for
self-paced practice, and new performance assessments.
The Program is the only authorized expert training currently aligned to
CCIE R&S v4.0. The program is delivered globally by Cisco Learning Partners. 

Save the Date: Two Live CCIE R&S Certification Webinars, May 20, 2009
Cisco will conduct two live webinars on Wednesday, May 20, 2009 covering
enhancements made to the CCIE R&S certification and to the
Cisco 360 Learning Program for CCIE R&S to align with the updates. 
Attendees can choose from calls at 8:00 AM and 7:00 PM PST.
Click here to register.

For more information on the updates, the Cisco 360 Learning Program for
CCIE R&S, and how to locate an authorized Learning Partner, access the
Cisco Learning Network.

By just having a quick look on the new lab blueprint I noticed following changes:

• MPLS needs to be configured (PE, CE)
• IPv6 increased (Multicast, EIGRP)
• Security: the zone based firewall and IPS (Intrusion Prevention System)
• Troubleshooting is a new section

On the written part I’ve noticed that analyzing a network and proposing changes to due e.g. a migration has also been added. Sounds like kind of CCDE stuff in there… Some IOS have been upgraded to the T-train and some Routers  (-3725s,  +1841s / +3825s) and Switches (no more 3550s) are replaced.

The Lab format did also changed: 2 hours independent troubleshooting and then a different 6 hours lab.

I think this new blueprint is now closer to what we have in real world. Troubleshooting is one of the key aspects which was missing in v3 – you had to troubleshoot what you’ve fucked up. As far as I remember in the old 2-day CCIE lab exams you had troubleshooting on the 2nd day. Now part of this came back. Thats great!

I’ve added the 2 PDF’s from Cisco which the blueprint details to the download section.

[Update]: Petr from Internetwork Experts made a great post about this.

Hello Cisco Certified Users:

If you are considering CCIE
certification, TODAY is the day to get the CCIE training materials/Bootcamps
that you need and save some money at the same time!

25% off all training
Today Only (April 30th, 2009)!

Discount Code: APR30X

http://www.internetworkexpert.com 

Training available for: CCIE (R&S, Voice, Security,
Service Provider), CCIE R&S Written, CCENT.

Please contact me with
any questions.

Best regards,
Stan

Stan Yee
Corporate &
Channel Sales Manager
syee@INE.com

Internetwork Expert,
Inc.
http://www.InternetworkExpert.com 
Toll
Free: 877.224.8987 x709
Direct/Outside US: +1.775.785.3026
Online
Community: http://www.IEOC.com 
CCIE Blog: http://blog.internetworkexpert.com 

Follow us on Twitter for updates, special promotions/offers:
http://twitter.com/inetraining

Just watching the twitter link gives me the impression that day have everyday kind of a “sale”-day ,-)

Without CBAC your filtering abilities is limited to pure access-lists which are examining the packets at network or transport layer. However CBAC gives you the ability to analyze also the application-layer protocol information. By example CBAC can detect the FTP connection informations and open also the correct ports for active FTP.

CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall.

You can inspect the traffic at any point of the router:

• Inbound or outbound traffic on the internal interface
• Inbound or outbound traffic on the external interface

It is important to note that CBAC operates at interface level.

Here’s how CBAC will help you: stateful

In following example we want to allow all traffic from inside to outside, but deny traffic initiated from external to the internal side. To solve this we could use the reflexive access-list feature but this is not the point now.

Lets assume we will place this inACL:

Router(config)#ip access-list extended inACL
Router(config-ext-nacl)#deny ip any any
Router(config-ext-nacl)#interface GigabitEthernet2/0
Router(config-if)#ip access-group inACL in

The result of this configuration is that all traffic from inside to outside is permitted, but the return traffic will be denied (deny ip any any).

To resolve this issue: Use reflexive access-lists or again: activate CBAC…

How CBAC needs to be configured

Router(config)#ip inspect name MyFirewall http
Router(config)#ip inspect name MyFirewall ftp
Router(config)#ip inspect name MyFirewall smtp

And apply it on the Router as outbound policy:

Router(config)#interface GigabitEthernet2/0
Router(config-if)#ip inspect MyFirewall out

Verification of CBAC

After all you can verify the configuration by typing show ip inspect all:

Router#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name MyFirewall
    http alert is on audit-trail is off timeout 3600
    ftp alert is on audit-trail is off timeout 3600
    smtp max-data 20000000 alert is on audit-trail is off timeout 3600

Interface Configuration
 Interface GigabitEthernet2/0
  Inbound inspection rule is not set
  Outgoing inspection rule is MyFirewall
    http alert is on audit-trail is off timeout 3600
    ftp alert is on audit-trail is off timeout 3600
    smtp max-data 20000000 alert is on audit-trail is off timeout 3600
  Inbound access list is inACL
  Outgoing access list is not set

So, lets generate on the client a http session and check the session database:

Router#show ip inspect sessions
Established Sessions
Session 672E0CE4 (192.168.1.100:46153)=>(193.239.22.2:80) http SIS_OPEN

This means nothing that just adding temporary entries in front of the access-list of the interface. inACL could now be dynamically extended like:

ip access-list extended inACL
   permit tcp host 193.239.22.2 eq 80 host 192.168.1.100 eq 46153
   deny ip any any

Again: Inspection Rules

If you dont specify a procotol to be inspected you will NOT get it passed. In my example I did not included ICMP so pinging a host in the internet will not bring us much:

CLIENT#ping 193.239.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 193.239.22.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

In short: ip inspect does only inspection on protocols you tell him to inspect. If you miss out something this will fall into the regular access-lists / filtering.

In my ICMP example you can either add ICMP to the protocol:

Router#conf  term
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip inspect name MyFirewall icmp
Router(config)#end

CLIENT#ping 193.239.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 193.239.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/59/160 ms

or extend/edit the access-list:

Router#sh access-lists inACL
Extended IP access list inACL
10 deny ip any any (28 matches)
Router#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip access-list extended inACL
Router(config-ext-nacl)#5 permit icmp any any
Router(config-ext-nacl)#end

CLIENT#ping 193.239.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 193.239.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/82/252 ms

Last words

Normally, if you just want to have a standard firewall / stateful configuration you add something like:

Router(config)#ip inspect name MyFirewall udp
Router(config)#ip inspect name MyFirewall tcp
Router(config)#ip inspect name MyFirewall icmp
Router(config)#ip inspect name MyFirewall ftp
Router(config)#ip inspect name MyFirewall <anyotherspecialprotocolyouneed>

One really last word: DoS Attacks

Cisco recommends that you first make changes to the global timeout and threshold values before configuring your inspection rules:

Router(config)# ip inspect tcp synwait-time seconds
Router(config)# ip inspect tcp finwait-time seconds
Router(config)# ip inspect tcp idle-time seconds
Router(config)# ip inspect udp idle-time seconds
Router(config)# ip inspect dns-timeout seconds

Then you set up connection thresholds which is quite similar to setting thresholds for TCP Intercept:

Router(config)# ip inspect max-incomplete high number
Router(config)# ip inspect max-incomplete low number
Router(config)# ip inspect one-minute high number
Router(config)# ip inspect one-minute low number
Router(config)# ip inspect tcp max-incomplete host number  block-time minutes

A good example could be:

Router(config)# ip inspect tcp synwait-time 20
Router(config)# ip inspect tcp idle-time 60
Router(config)# ip inspect udp idle-time 20
Router(config)# ip inspect max-incomplete high 400
Router(config)# ip inspect max-incomplete low 300
Router(config)# ip inspect one-minute high 600
Router(config)# ip inspect one-minute low 500
Router(config)# ip inspect tcp max-incomplete host 300 block-time 0

Just make sure if you are modifiying the timeout and threshold values that you carefully monitor CBAC. Ensure that you’re not making the problem worse instead of fixing something. This is a real issue and risk.

In this example we would have to place a access-list like:

inACL:

ip access-list standard inACL
   permit tcp 192.168.1.0 0.0.0.255 any eq 80
   permit udp 192.168.1.0 0.0.0.255 any eq 53
   permit tcp 192.168.1.0 0.0.0.255 any eq 53
   deny ip any any

outACL:

ip access-list standard outACL
   permit tcp any eq 80 192.168.1.0 0.0.0.255
   permit udp any eq 53 192.168.1.0 0.0.0.255
   permit tcp any eq 53 192.168.1.0 0.0.0.255
   deny ip any any

Remark: I know that this list is not complete to surf the internet. But as an example it should be enough.

But we can easily replace this access-list when adding some stateful features to it…

Understanding reflexive access-lists

The cisco configuration guide is quite helpful to understand this feature.
Reflexive access lists are nothing else that defining criterias for outbound traffic and to allow that traffic on the way back are permitted. The router examines the outbound traffic and once it sees a new connection, the router is adding a temporary access-list entry to allow replies back in:

ip access-list extended outACL
   permit ip any any reflect MIRROR
!
ip access-list extended inACL
   evaluate MIRROR
!
interface GigabitEthernet2/0
   ip access-group outACL out
   ip access-group inACL in
!

Now, once the client is generating traffic, we can check the dynamic part by generating some traffic.

Router#show ip access-lists MIRROR
Reflexive IP access list Mirror
  permit tcp host 193.239.22.50 eq www host 192.168.1.100 eq 1234 (7 matches) (time left 294)

The timer is limited to 5 minutes (300 seconds). If additional traffic is passing matching an existing rule, the timer gets extended again to 5 minutes. If the router sees that the session is closed (either IFN or RST) the entry is removed from the access-list.

The timeout can be changed with the global ip reflexive-list timeout command.

Limitations of reflexive access-lists

Reflexive ACLs are not working with applications that use changing port-numbers during a TCP session. A good example is active FTP. If the port-number for a return packet is different that from the originating packet, the ACL will deny the packet.
If you want to have this working you would have to switch over to CBAC (Context Based Access-Lists) or use Passive FTP when originating requests from within your LAN.

Cisco explains quite good how to use ACLs:

• Configuring IP Access Lists
• Configuring Commonly Used IP ACLs (needs CCO login)

But do you know how to calculate an access-list which matches 10.20.30.40 and 40.30.20.10?

You should know that an access-list obeys to the quite simple mathemtical AND/OR and XOR world. The result will either match or will not match – so you can either permit or deny traffic.

Access-lists and wildcard masks are based on the AND and XOR logic. To remember:

With the AND Logic the result is 1 only when A and B are equal to 1.

A little bit different is when using the XOR logic: the result is 1 when A is different from B.

So, to get the specific information we need:

• A AND B gives us the address base / address to check
• A XOR B gives us the wildcard mask

access-list 1 permit [address_to_check] [wildcard_used_to_check]

Example: Match 10.20.30.40 and 40.30.20.10

Lets try to find an ACL to match 10.20.3.40 and 40.30.20.10.
To do so, we have first to convert this ip address into binary:

10.20.30.40 = 00001010.00010100.00011110.00101000
40.30.20.10 = 00101000.00011110.00010100.00001010

To get the address to check we use the AND logic:

    00001010.00010100.00011110.00101000
AND 00101000.00011110.00010100.00001010
---------------------------------------
    00001000.00010100.00010100.00001000 =  8.20.20.8

To get the wildcard mask we use the XOR logic:

    00001010.00010100.00011110.00101000
XOR 00101000.00011110.00010100.00001010
---------------------------------------
    00100010.00001010.00001010.00100010 = 34.10.10.34

Which results in:

access-list 1 permit 8.20.20.8 34.10.10.34

Easy, isn’t it?

Example: Match 172.30.16.0 thru 172.30.31.0

The next example is a little bit different. It should match a range of possible addresses. I just keep an eye on the 3rd octet.
First thing is again: convert it to binary:

16 = 0001 0000
17 = 0001 0001
18 = 0001 0010
..
31 = 0001 1111
--------------
          ^^^^
          Notice: This is, where changes happen

The important sentence for this task is to remember: “0 means the bit which cares me, 1 does not care”. Meaning that everywhere, where a 1 is set, I dont care wheater the value is changing or not. Where 0 means that this has to stay at is is.

In this example the first 4 bits have to stay as they are, so we place 0000. The last bits may change -> 1111.

To explain this in math: Apply AND on all those numbers to get the base:

    0001 0000 (16)
AND 0001 1111 (31)
-------------
    0001 0000 = 16

And apply XOR to get the wildcard mask:

    0001 0000 (16)
XOR 0001 1111 (31)
-------------
    0000 1111 = 15

By using this logic you end up with the access-list:

access-list 1 permit 172.30.16.0 0.0.15.0

Match all even numbers in the 3rd octet of 200.0.0.0

This question is really a classic example which will come at any CCIE exam.
Again we start converting some random number of addresses to binary:

200.0.0.0 = 11001000.00000000.00000000.00000000
200.0.1.0 = 11001000.00000000.00000001.00000000
200.0.2.0 = 11001000.00000000.00000010.00000000
200.0.9.0 = 11001000.00000000.00001001.00000000
                                     ^
                                     This last bit is changing all the time.

Since that last bit in the 3rd octet is changing all the time, we don’t care (=1) it. So the 3rd octet wildcard will be: 0000 0001 which gives us following access-list:

access-list 1 permit 200.0.0.0 0.0.1.0

Match all odd numbers in the second octet of 200.0.0.0

We again write some random values of the 2nd octet into binary:

200.0.0.0 = 11001000.00000000.00000000.00000000
200.0.1.0 = 11001000.00000001.00000000.00000000
200.0.2.0 = 11001000.00000010.00000000.00000000
200.0.9.0 = 11001000.00001001.00000000.00000000
                     ^^^^^^^
                     Changing bit for even/odd gets -> 1
                     The Last bit we care -> 0

Then we notice that the last bit is always zero. Since we care that this bit remains (=0) the rest may change (=1). This gives us the binary 1111 1110. At the end we’ve got:

access-list 1 permit 200.0.0.0 0.254.0.0

One last word: summary routes

If you’re asked to create a summary-route for some specific subnets: this is not different than calculating a range of ip addresses. But you can shorten this up.

Lets assume you need to create summary of following networks including ONLY those networks:

10.10.31.0/24
10.10.32.0/24
10.10.33.0/24
10.10.34.0/24
10.10.35.0/24
10.10.36.0/24
10.10.37.0/24

First thing you change this into binary:

0001 1111 (31)
0010 0000 (32)
0010 0001 (33)
0010 0010 (34)
0010 0011 (35)
0010 0100 (36)
0010 0101 (37)

We notice that 31 is stepping out of the line.  We will see that the last 3 bits are interesting to us. But, if we put the last 3 bits into ‘dont-care-modus’ (setting to 1) we will also include 0110 (38) and 0111 (39) which is not allowed. So we break at the end this into 3 parts:

0001 1111 (31) -> 10.10.31.0 0.0.0.255

0010 0000 (32)
0010 0001 (33)
0010 0010 (34)
0010 0011 (35)
--------------
0000 0011 (3)  -> 10.10.32.0 0.0.3.255

0010 0100 (36)
0010 0101 (37)
--------------
0000 0001 (1)  -> 10.10.36.0 0.0.1.255

Playing around with Sequence Numbers

You probably have noticed that since some IOS release you see some sequence numbers:

Router#sh access-lists
Standard IP access list 99
    10 permit 212.90.198.7
    20 permit 192.168.12.0, wildcard bits 0.0.0.255
    30 permit 193.100.0.0, wildcard bits 0.0.0.15
    40 deny   any

Your problem: You need to put another permit statment at the very beginning of the ACL.
The ACL is attached on an interface – you should know what happens if remove the ACL (no access-list 99; access-list 99 permit …) to update it. Yes: you will probably shoot yourself into the foot. Bad idea.

By using sequence numbers you can – guess what – add another sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#5 permit 1.1.1.1

Router#sh access-lists
Standard IP access list 99
5 permit 1.1.1.1
10 permit 212.90.198.7
20 permit 192.168.12.0, wildcard bits 0.0.0.255
30 permit 193.100.0.0, wildcard bits 0.0.0.15
40 deny   any

You can also remove a sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#no 5

In case you have no sequence numbers left where you want to put something in between, you may renumber / resequence the list:

Router(config)#ip access-list resequence 99 100 50
Router(config)#do sh access-list 99
Standard IP access list 99
100 permit 1.1.1.1
150 permit 212.90.198.7
200 permit 192.168.12.0, wildcard bits 0.0.0.255
250 permit 193.100.0.0, wildcard bits 0.0.0.15
300 deny   any

In this example 100 is the startnumber and 50 the step.

Access list & Interfaces?

If you want to know which access-lists are applied on a specific inteface: just ask your device!

Router#show ip access-lists interface loop22 
Extended IP access list T2 in
    10 permit tcp any host 1.2.3.4 eq smtp
Extended IP access list T1 out
    10 permit icmp any any

TCP-Flags & TTL

Cisco became more flexible in 12.4(something)T when you want to filter by TTL, DSCP values or even TCP flags:

Router(config)# ip access-list extended T3
Router(config-ext-nacl)#permit icmp any any ttl lt 20
Router(config-ext-nacl)#permit udp any any dscp af31
Router(config-ext-nacl)#permit tcp any any match-all +ack +fin -psh

The first example permits all ICMP packets with a TTL less or equal than 20, the second example matches any UDP traffic with a DSCP value of AF31 and the last example permits TCP traffic with an ACK, FIN but without any PSH bit set.

Using Objects?

If you’re used about using object groups: Cisco IOS 12.4(22)T is allowing to use it:

Router(config)#  ip access-list standard SERVERS
Router(config-std-nacl)#permit 1.1.1.1
Router(config-std-nacl)#permit 2.2.2.2
Router(config-std-nacl)#  ip access-list extended FWPOLICY 
Router(config-ext-nacl)#permit icmp any object-group SERVERS

Cisco ACL Editor

If you google around there are plenty of tools like FWBuilder or Gareth’s Cisco ACL Editor and Simulator which you may use to compile your access-list which fits your requirements.

Probably the most interesting features are:

• Access Lists
• Context Based Access Control (CBAC)
• Reflexive Access Lists
• Lock and Key (dynamic access-lists)
• Zone-Based Firewall
• TCP Intercept (to prevent DoS attacks)
• uRPF

I will try to hightlight some of them within my next posts and show you how to solve standard problems within a service provider network.

If you have special requests just drop me some comments.

While checking the access logfile from this blog I saw some strange logs:

sesamnet-fw.senselan.ch - - [16/Apr/2009:14:23:37 +0200] "GET /fileadmin/scripts/gatag.js HTTP/1.1" 404 2330
"http://test.riderschallenge.ch/organisation/zahlen-und-fakten.html"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)"

Checking out the source code of the website showed me why this happend:

<!--Google Analytics Code -> ACHTUNG! error404.html auch anpassen! -->
"http://www.kunde.ch/fileadmin/scripts/gatag.js" type="text/javascript"></script><!--www.kunde.ch ersetzen-->

Funny guys, ok, let’s have fun I said to myself. I wrote a mail to the hostmaster of the provider explaining the problem. After a while I saw that they haven’t changed nothing. Ok, fun time: Let’s create that javascript file ,-)

The javascript:

alert("Hello programmierer. Fix endlich deine dummen placeholder! ,-) Der owner von kunde.ch dankt dir recht herzlich.
Vielleicht sollte ich noch nen malicious code einbauen? kontakt findest du unter http://www.kunde.ch")
window.location.href = 'http://www.cyberkoch.ch/warmes/pfefilebasel220207.shtml';

Check out the comments for a reaction …

• Cisco Pwd Decryptor: Decrypt easily Cisco Type-7 Password
• Config Auditor: Le me analzye your Router/Switch config
• IP Tools: Ping, Traceroute, Dig, Whois, …

I like the config auditor which is using nipper to do a basic security audit of the configuration.

The first, ComeBack2009, reaches out to individuals with lapsed certifications who may be hesitant about renewing their certification.

• The ComeBack2009 promotion is for anyone who has achieved a Cisco certification in the past, but for whatever reason has let their certification credential lapse. If they take a full-priced exam now and don’t pass it, they can get a second chance in the form of a free retake. This gives those with lapsed certifications a jump start toward earning back their credential. Candidates must complete all exams needed for a certification in order to gain back their certification. Further details can be found at PearsonVUE.com/Cisco/ComeBack2009.

The second promotion, Specialize, is designed to promote Cisco’s new CCNA specialization certifications, announced last summer.

• The Specialize promotion encourages those who currently have a Cisco CCNA certification to “specialize” in a Cisco CCNA concentration. Individuals who take a full-priced CCNA concentration exam will be given a free retake exam should they need it. This offer is only valid for 640-460-IIUC CCNA Voice, 640-553 IINS CCNA Security and 640-721 IUWNE CCNA Wireless exams. Further details can be found at PearsonVUE.com/Cisco/Specialize.

With each of these promotions, both the initial exams and the free retakes must be scheduled and taken between January 20, 2009, and July 20, 2009, and regular retake rules apply. Candidates who are eligible for these promotions were invited to participate in an email blast sent by Cisco and they will receive a reminder midway through the promotion period.

I’ve recently ordered another list of books which are more or less covering MPLS and service provider features:

• Traffic Engineering with MPLS
• Layer 2 VPN Architectures
• Multi Protocol Label Switching and Virtual Private Networks
• BGP Design and Implementation
• Definitive MPLS Network Designs
• MPLS and VPN Architectures Volume I + II
• MPLS Fundamentals
• MPLS Configuration on Cisco IOS
• QoS for IP/MPLS Networks

I hope they will arrive within the next days

dilbert 2009/03/27

]]> http://blog.glogger.ch/2009/04/daily-dilbert/feed/ 0 http://blog.glogger.ch/2009/04/how-to-prepare-for-the-rs-lab-exam/ http://blog.glogger.ch/2009/04/how-to-prepare-for-the-rs-lab-exam/#comments Tue, 14 Apr 2009 10:00:45 +0000 Steven http://blog.glogger.ch/?p=318 Well, everyone has probably a different approach but in detail there are all quite the same.
To pass the lab exam you need to follow some strategies:

Know what Cisco wants from you

Use the Cisco Blueprint to get an overview. But since the blueprint is too less detailled, write your own blueprint. You can download mine if this helps you.
It is also important that you crosscheck the blueprint with the DocCD to ensure that you don’t miss a thing.

Plan your studies

You have to plan your studies. I’ve reserved 2 evenings (well..more or less nights) and 1 full weekend-day to practise the lab. I was always learning monday and wednesday evening and the full saturday or sunday. It is important to have some fixed days because it allowes you to be flexible, tohave spare time (and your wife will be glad also) and to have some kind of a constant rhytm.
A good study plan is key to your success.

Plan when you want to learn what and when you want to do which lab. I told myself in november last year that until mid of january I want to finish all 20 labs from internetworkexpert. And I did it!

Know the features

You have to know what feature does what. You don’t have to know it into it’s very detail (see next point) but you have to know that:

1. A feature exists
2. How it works
3. Where to find detailled informations (see next topic)

Of course, the more you know about the feature and how to configure it, the more time you have during the exam and the more relaxed you can thru it.

Know where to find the stuff

If you never clicked yourself thru the univerCD (aka DocCD) you’re doomed to fail. You don’t have to know every feature by heart, but you have to know where to find it within 20 seconds.

Some examples:

• Regular Expressions: 12.4 -> Terminal Services -> Appendixes -> Regular Expressions
• Protocols / Port Numbers / ICMP Types: Security -> Firewall Applicances -> ASA 5500 -> Command Line Guide -> Reference -> Addresses, Protocols, and Ports
• Protocols: Wireless -> Aironet 1250 -> Appendix A: Protocol Filters
• DRP: is under “Network Management”
• Regex Engine Performance Enhancement: can be found under 12.4T -> Routing -> BGP
• Control Plane Policing: It is not under security. Check out QoS -> Part 4: Policing and Shaping -> Configuring Traffic Policing -> Control Plane Policing.
  But since some days theres a new section “Cisco IOS Security Configuration Guide: Securing the Control Plane, Release 12.4″ which contains the same as above.

Have good notes

I dont know how you learn, but I’ve started to write my own Wiki with my notes and to keep them in order (my paper-notebook was just a chaos, this is why i’ve choosen the electronic version )

But don’t forget: the univerCD is the best base for material and notes.

Have good training material

I’ve used the workbooks from InternetworkExpert:

• Volume I: Is good to get to know how the Feature is used. It is divided into topics: Layer 2, BGP, OSPF, QoS, …
• Volume II: Are full 8hour labs. Some are more difficult, some are quite easy (at least I had the impression). With Vol II you learn how to do whole labs. You learn about timemanagement, testing, etc.
• Volume III: Are core labs (4hours) just about Layer 2 and Routing  (“Routing & Switching”).

Beside of this you can also do some assessor exams directly from cisco. But they are quite expensive but also quite close to real lab tests.

I’ve heard that the training material from IPExpert is not bad, but I have no experience at all.

Read a lot

No single source can be used to make you pass the lab exam. You have to get your knowledge thru different sources: Cisco website/DocCD, RFCs, books, forums, blogs, links in the internet, google searches, etc…

I will publish in some days the list of books i’ve used for my studies.

Some words about timemanagement during the lab

If you finish some training labs in more than 8 hours: no panic. The more practise you have, the more time you get. I’ve had at the end about 4-5hours average to finish a training-lab including the whole testing/debugging. When I was at Cisco in Brussels i finished about 90% of the lab before lunchtime. I had on both tests more than 3 hours left when I finished my lab to test, reread the whole stuff, etc.

Be a teamplayer

I’m quite sure you got some friends which are also going for the CCIE. Learn together. Subscribe (and be active!) on mailinglists, participate in forums, read blogs, … do whatever you like, but be active on this. Beside of learning there’s also a lot of fun behind becoming a CCIE ,-) Don’t be afraid also to ask people if you need more informations or help.

Play around and be open-minded

There’s not always a masterplan how you can solve a task. If you need to filter traffic between devices you can use ACLs but what about L2-filtering (on vlan)? How to make routes external in ospf? Ever thought about using a second ospf process and redistribute?

If a you know other ways to solve a task solve it in different ways. Test if your idea is working, but just try it. Don’t be to blind to just always use way number X to solve task Y. Play around!

Testing and Debugging

Testing is key to pass. If you don’t test what you’ve implemented you gonna fail for sure! Test every single task. You will spend a lot of your time during your studies to learn how to test a single feature. Don’t trust any solution unless you try and prove it by yourself in the lab.

Register for a lab

Once you’ve got a lab date, you’ve got some pressure. You’ve got a target to reach. I’ve needed that target to be more effective.

Last but not least: have fun!

Yes, that right. You can have fun during our preparations. Imagine all the new things you can learn; imagine how much time you can spend in just playing around with features and configurations; imagine how proud you can be once you passed everthing. Becoming CCIE is more than just studying…

But don’t be afraid, as I develop myself this page should also. I will not write only about becoming a CCIE, how to pass the exam, etc.