Archive for the ‘Cisco & Networking Related’ Category

Router Virtualization with GNS3

August 14th, 2009 No comments

Today I had a presentation in my company about virtualizing cisco routers.
Feel free to read my presentation:

I’ve added some tutorials and topologies in my download area.

If you have any questions just don’t hesitate to ask me.

Cisco Revises its Popular CCIE R&S Certification

May 5th, 2009 No comments

I got this morning another mail from cisco with updates to the CCIE certification:

Cisco has revised the certification requirements for CCIE Routing & Switching
(CCIE R&S)-the expert level certification for network engineers.

The new certification standards reflect the job skills employers look for
at the expert level and are outlined on the Cisco Learning Network at
CCIE R&S v4.0 written exam topics and CCIE R&S v4.0 lab exam topics.
The revised CCIE R&S v4.0 exams are scheduled for release on October 18, 2009
and will immediately replace the currently available v3.0 exams. 

To support the certification changes, the Cisco 360 Learning Program for
CCIE R&S is being updated with new lessons on MPLS and Troubleshooting,
additions to the instructor-led workshops, new lab exercises for
self-paced practice, and new performance assessments.
The Program is the only authorized expert training currently aligned to
CCIE R&S v4.0. The program is delivered globally by Cisco Learning Partners. 

Save the Date: Two Live CCIE R&S Certification Webinars, May 20, 2009
Cisco will conduct two live webinars on Wednesday, May 20, 2009 covering
enhancements made to the CCIE R&S certification and to the
Cisco 360 Learning Program for CCIE R&S to align with the updates. 
Attendees can choose from calls at 8:00 AM and 7:00 PM PST.
Click here to register.

For more information on the updates, the Cisco 360 Learning Program for
CCIE R&S, and how to locate an authorized Learning Partner, access the
Cisco Learning Network.

By just having a quick look on the new lab blueprint I noticed following changes:

  • MPLS needs to be configured (PE, CE)
  • IPv6 increased (Multicast, EIGRP)
  • Security: the zone based firewall and IPS (Intrusion Prevention System)
  • Troubleshooting is a new section

On the written part I’ve noticed that analyzing a network and proposing changes to due e.g. a migration has also been added. Sounds like kind of CCDE stuff in there… Some IOS have been upgraded to the T-train and some Routers  (-3725s,  +1841s / +3825s) and Switches (no more 3550s) are replaced.

The Lab format did also changed: 2 hours independent troubleshooting and then a different 6 hours lab.

I think this new blueprint is now closer to what we have in real world. Troubleshooting is one of the key aspects which was missing in v3 – you had to troubleshoot what you’ve fucked up. As far as I remember in the old 2-day CCIE lab exams you had troubleshooting on the 2nd day. Now part of this came back. Thats great!

I’ve added the 2 PDF’s from Cisco which the blueprint details to the download section.

[Update]: Petr from Internetwork Experts made a great post about this.

Yet another Internetwork Expert Promo

April 30th, 2009 No comments

I just got this mail from Internetwork Experts which is quite cool:

Hello Cisco Certified Users:

If you are considering CCIE
certification, TODAY is the day to get the CCIE training materials/Bootcamps
that you need and save some money at the same time!

25% off all training
Today Only (April 30th, 2009)!

Discount Code: APR30X 

Training available for: CCIE (R&S, Voice, Security,
Service Provider), CCIE R&S Written, CCENT.

Please contact me with
any questions.

Best regards,

Stan Yee
Corporate &
Channel Sales Manager

Internetwork Expert,
Free: 877.224.8987 x709
Direct/Outside US: +1.775.785.3026
CCIE Blog: 

Follow us on Twitter for updates, special promotions/offers:

Just watching the twitter link gives me the impression that day have everyday kind of a “sale”-day ,-)

Securing Cisco Devices: Part III – CBAC

April 28th, 2009 No comments

Cisco developped Context-based Access Control to intelligently filtering TCP and UDP packets based on application-layer protocols. You can inspect traffic for sessions that originate from any side of the firewall (can be an internal or external interface).

Without CBAC your filtering abilities is limited to pure access-lists which are examining the packets at network or transport layer. However CBAC gives you the ability to analyze also the application-layer protocol information. By example CBAC can detect the FTP connection informations and open also the correct ports for active FTP.

CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall.


You can inspect the traffic at any point of the router:

  • Inbound or outbound traffic on the internal interface
  • Inbound or outbound traffic on the external interface

It is important to note that CBAC operates at interface level.

Read more…

Securing Cisco Devices: Part II – Reflexive ACLs

April 27th, 2009 No comments

Reflexive Access-Lists are adding kind of a stateful logic to your access-list. When using normal access-lists you have to be quite detailled, what you need to open e.g. for surfing the web:


In this example we would have to place a access-list like:


ip access-list standard inACL
   permit tcp any eq 80
   permit udp any eq 53
   permit tcp any eq 53
   deny ip any any


ip access-list standard outACL
   permit tcp any eq 80
   permit udp any eq 53
   permit tcp any eq 53
   deny ip any any

Remark: I know that this list is not complete to surf the internet. But as an example it should be enough.

But we can easily replace this access-list when adding some stateful features to it…

Read more…

ACL Maths

April 21st, 2009 No comments

Today I thought, it would be nice to show the people out there, how an ACL can be computed to fit specific requirements.

Cisco explains quite good how to use ACLs:

But do you know how to calculate an access-list which matches and

Read more…

Securing Cisco Devices: Part I – ACLs

April 20th, 2009 No comments

Some think: I know all about ACLs. Right? Well, lets see.
I will not bother you with standard stuff which can be found on any how-to-use-an-acl-website.

Playing around with Sequence Numbers

You probably have noticed that since some IOS release you see some sequence numbers:

Router#sh access-lists
Standard IP access list 99
    10 permit
    20 permit, wildcard bits
    30 permit, wildcard bits
    40 deny   any

Your problem: You need to put another permit statment at the very beginning of the ACL.
The ACL is attached on an interface – you should know what happens if remove the ACL (no access-list 99; access-list 99 permit …) to update it. Yes: you will probably shoot yourself into the foot. Bad idea.

By using sequence numbers you can – guess what – add another sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#5 permit

Router#sh access-lists
Standard IP access list 99
5 permit
10 permit
20 permit, wildcard bits
30 permit, wildcard bits
40 deny   any

You can also remove a sequence:

Router(config)#ip access-list standard 99
Router(config-std-nacl)#no 5

In case you have no sequence numbers left where you want to put something in between, you may renumber / resequence the list:

Router(config)#ip access-list resequence 99 100 50
Router(config)#do sh access-list 99
Standard IP access list 99
100 permit
150 permit
200 permit, wildcard bits
250 permit, wildcard bits
300 deny   any

In this example 100 is the startnumber and 50 the step.

Access list & Interfaces?

If you want to know which access-lists are applied on a specific inteface: just ask your device!

Router#show ip access-lists interface loop22 
Extended IP access list T2 in
    10 permit tcp any host eq smtp
Extended IP access list T1 out
    10 permit icmp any any

TCP-Flags & TTL

Cisco became more flexible in 12.4(something)T when you want to filter by TTL, DSCP values or even TCP flags:

Router(config)# ip access-list extended T3
Router(config-ext-nacl)#permit icmp any any ttl lt 20
Router(config-ext-nacl)#permit udp any any dscp af31
Router(config-ext-nacl)#permit tcp any any match-all +ack +fin -psh

The first example permits all ICMP packets with a TTL less or equal than 20, the second example matches any UDP traffic with a DSCP value of AF31 and the last example permits TCP traffic with an ACK, FIN but without any PSH bit set.

Using Objects?

If you’re used about using object groups: Cisco IOS 12.4(22)T is allowing to use it:

Router(config)#  ip access-list standard SERVERS
Router(config-std-nacl)#  ip access-list extended FWPOLICY 
Router(config-ext-nacl)#permit icmp any object-group SERVERS

Cisco ACL Editor

If you google around there are plenty of tools like FWBuilder or Gareth’s Cisco ACL Editor and Simulator which you may use to compile your access-list which fits your requirements.

Securing Cisco Devices

April 19th, 2009 No comments

I got quite some mails in the past of people, asking me how creative we might be to filter traffic and perform some kind of security on a Cisco device.

Probably the most interesting features are:

I will try to hightlight some of them within my next posts and show you how to solve standard problems within a service provider network.

If you have special requests just drop me some comments.

Internetwork Expert April Sales

April 16th, 2009 No comments

Internetwork Expert is having also a sales promo. If you use the coupon code APRIL09 you get 20% off everything (material, courses, rack rentals, …).

Pearson Vue Cisco “ComeBack2009” and “Specialize” Promotions

April 15th, 2009 No comments

Just found following information on the Pearson Vue Homepage:

Cisco is launching two new promotions that may be of interest to your IT candidates.

The first, ComeBack2009, reaches out to individuals with lapsed certifications who may be hesitant about renewing their certification.

  • The ComeBack2009 promotion is for anyone who has achieved a Cisco certification in the past, but for whatever reason has let their certification credential lapse. If they take a full-priced exam now and don’t pass it, they can get a second chance in the form of a free retake. This gives those with lapsed certifications a jump start toward earning back their credential. Candidates must complete all exams needed for a certification in order to gain back their certification. Further details can be found at

The second promotion, Specialize, is designed to promote Cisco’s new CCNA specialization certifications, announced last summer.

  • The Specialize promotion encourages those who currently have a Cisco CCNA certification to “specialize” in a Cisco CCNA concentration. Individuals who take a full-priced CCNA concentration exam will be given a free retake exam should they need it. This offer is only valid for 640-460-IIUC CCNA Voice, 640-553 IINS CCNA Security and 640-721 IUWNE CCNA Wireless exams. Further details can be found at

With each of these promotions, both the initial exams and the free retakes must be scheduled and taken between January 20, 2009, and July 20, 2009, and regular retake rules apply. Candidates who are eligible for these promotions were invited to participate in an email blast sent by Cisco and they will receive a reminder midway through the promotion period.