CCNA Security Prep

So after looking at the CCNP SWITCH, I figured I would look at the certification I am studying for: CCNA Security. It is known that this exam is a bit tougher than in the past.  Knowing this, I am focusing on doing more lab work for all topics.

Like the SWITCH exam, I reviewed the CCNA Security exam blueprint and the official lab book.  This research is to find out what is not covered in the Cisco lab book and my plan of attack to create or find other labs to help solidify knowledge on the topic areas in question. Sure enough, there is gap in covered exam objectives in the lab book.

Like the SWITCH exam, some topics may not have a lab as the topic may be only testing on your understanding of the topic (highlighted green). Some topics are ones where you need to understand how to configure, test, and troubleshoot (highlighted red). See below:

1.0 Security Concepts 12% 
1.1  Common security principles
1.1.a Describe confidentiality, integrity, availability (CIA)
1.1.b Describe SIEM technology
1.1.c Identify common security terms
1.1.d Identify common network security zones
1.4 Describe network topologies
1.4.a Campus area network (CAN)
1.4.b Cloud, wide area network (WAN)
1.4.c Data center
1.4.d Small office/home office (SOHO)
1.4.e Network security for a virtual environment

2.0 Secure Access 14%
2.1   Secure management
2.1.a Compare in-band and out-of band
2.1.b Configure secure network management
2.1.c Configure and verify secure access through SNMP v3 using an ACL
2.1.d Configure and verify security for NTP
2.1.e Use SCP for file transfer
2.2.d Explain the integration of Active Directory with AAA
2.2.e Describe authentication and authorization using ACS and ISE
2.3 802.1X authentication
2.3.a   Identify the functions 802.1X components
2.4 BYOD
2.4.a Describe the BYOD architecture framework
2.4.b Describe the function of mobile device management (MDM)

3.0 VPN 17%
3.1  VPN concepts
3.1.a Describe IPsec protocols and delivery modes (IKE, ESP, AH, tunnel mode, transport mode)
3.1.b Describe hairpinning, split tunneling, always-on, NAT traversal
3.2 Remote access VPN
3.2.e Identify endpoint posture assessment

4.0 Secure Routing and Switching 18% 
4.1 Security on Cisco routers
4.1.a Configure multiple privilege levels
4.1.b Configure Cisco IOS role-based CLI access
4.1.c Implement Cisco IOS resilient configuration
4.2 Securing routing protocols
4.2.a Implement routing update authentication on OSPF
4.3 Securing the control plane
4.3.a Explain the function of control plane policing
4.4 Common Layer 2 attacks
4.4.a Describe STP attacks
4.4.b Describe ARP spoofing
4.4.c Describe MAC spoofing
4.4.d Describe CAM table (MAC address table) overflows
4.4.e Describe CDP/LLDP reconnaissance
4.4.f Describe VLAN hopping
4.4.g Describe DHCP spoofing
4.6 VLAN security
4.6.a Describe the security implications of a PVLAN
4.6.b Describe the security implications of a native VLAN

5.0 Cisco Firewall Technologies 18%
5.1  Describe operational strengths and weaknesses of the different firewall technologies
5.1.a Proxy firewalls
5.1.b Application firewall
5.1.c Personal firewall
5.2 Compare stateful vs. stateless firewalls
5.2.a Operations
5.2.b Function of the state table
5.3 Implement NAT on Cisco ASA 9.x
5.3.a Static
5.3.b Dynamic
5.3.c PAT
5.3.d Policy NAT
5.3 e Verify NAT operations
5.4 Implement zone-based firewall
5.4.b Self zone
5.5 Firewall features on the Cisco Adaptive Security Appliance (ASA) 9.x
5.5.g Describe security contexts
5.5.h Describe firewall services

7.0 Content and Endpoint Security 12% 
7.1  Describe mitigation technology for email-based threats
7.1.a SPAM filtering, anti-malware filtering, DLP, blacklisting, email encryption
7.2 Describe mitigation technology for web-based threats
7.2.a Local and cloud-based web proxies
7.2.b Blacklisting, URL filtering, malware scanning, URL categorization, web application filtering, TLS/SSL decryption
7.3  Describe mitigation technology for endpoint threats
7.3.a Anti-virus/anti-malware
7.3.b Personal firewall/HIPS
7.3.c Hardware/software encryption of local data
This list is not 100% accurate as I am using the table of contents as a reference. However, seeing a lot of exam objectives that need to you to know the commands and output leads me to believe that supplementation is needed.

Posted in Certification

CCNP SWITCH Prep

While preparing for this weekend’s CCNP study group session, I reviewed the CCNP switch exam blueprint and the official lab book. I noticed a major gap in covered exam objectives in the lab book.  Having passed the CCNP SWITCH exam, I wanted to share with my study group colleagues what is not covered in the Cisco lab book and what we should do to create or find other labs to help solidify knowledge on the topic areas in question.

Now some topics may not have a lab as the topic may be only testing on your understanding of the topic (highlighted green). Some topics are ones where you need to understand how to configure, test, and troubleshoot (highlighted red). See below:

1.1 Configure and verify switch administration
1.1.a SDM templates
1.1.b Managing MAC address table
1.1.c Troubleshoot Err-disable recovery

1.2 Configure and verify Layer 2 protocols
1.2.a CDP, LLDP
1.2.b UDLD

1.5.d EtherChannel misconfiguration guard

1.6 Configure and verify spanning tree
1.6.c PortFast, BPDUguard, BPDUfilter
1.6.d Loopguard and Rootguard

1.7 Configure and verify other LAN switching technologies
1.7.a SPAN

1.8 Describe chassis virtualization and aggregation technologies
1.8.a Stackwise

2.1 Configure and verify switch security features
2.1.a DHCP snooping
2.1.b IP Source Guard
2.1.c Dynamic ARP inspection
2.1.e Private VLAN
2.1.f Storm control

2.2 Describe device security using Cisco IOS AAA with TACACS+ and RADIUS
2.2.a AAA with TACACS+ and RADIUS
2.2.b Local privilege authorization fallback

This list is not 100% accurate as I am using the table of contents as a reference. However, seeing a lot of exam objectives that need to you to know the commands and output leads me to believe that supplementation is needed.

The official lab book also has some topics that are not mentioned in the exam blueprint:

Chapter 5: InterVLAN Routing
Lab 5-1 Inter-VLAN Routing
Lab 5-2 DHCP
Chapter 7: Network Management
Lab 7-1 Synchronizing Campus Network Devices using Network Time Protocol (NTP)
Lab 7-2 Configure Campus Network Devices to Support Simple Network Management Protocol (SNMPv3)
Chapter 8: Switching Features and Technologies
Lab 8-1 IP Service Level Agreements and Remote SPAN in a Campus Environment

Posted in Certification

The ASA is here!

It took some time to find one, but I have got a Cisco ASA5505!

20170508_202410.jpg

This ASA comes with the Security License.  Now I can start working on my CCNA security firewall labs!

Tagged with:
Posted in Certification

The end of an era…

The count down to the end of the Cisco ASA 5505 has begun. Announced in late February, the baseline security device will be retired in 2022. So if you are studying for the CCNA Security, get your ASA now! I sure cost of the ASA will start to go down, making this hardware a easier pickup for the home labs.

 

Cisco ASA 5505 End of Sale Announcement 

Posted in Cisco Rants

NAT/PAT

The planning and configuration of Network Address Translation/Port Address Translation is similar for security device as a router.

Define your internal IP address space to translate. This will help with choosing the right network translation scheme for your application. You will configure an access list in order to define the ip address to be translated.

Define your inside and outside interfaces. Make sure you have configured IP addresses for these interfaces.

Map out your ports! This will be helpful for the firewall policies that will need to be built later.

 

 

 

 

 

 

Posted in Certification, Skill Development, Uncategorized

Hairpinning

I have found myself asking when and where would this be useful? What architectures or campus designs would this be implemented?

The idea is that you can route traffic from the same interface it came in on is similar to the idea of reverse path forwarding(RPF) in routing. The major difference is that Hairpinning focuses on the routing packets traversing the same security level in a virtual private network (VPN), while RPF focuses on keeping routing loop free.

 

 

Posted in Certification, Skill Development, Uncategorized

CCNP SWITCH Home Lab

The CCNP SWITCH Lab is built off the foundation of the CCNA R&S lab. Most of the lab work  can be done with the old 2950 switches from the CCNA. You will need some more Here is my input on finding the right hardware. I should note that these recommendations are based on my experience and outcomes.

Lets start with all the technologies that you must master for the CCNP Switch

SDM templates, CDP, LLDP, VLANS, Trunking, DTP, VTP, STP, Etherchannels, SPAN, Stackwise, Port security, DHCP snooping, storm control, private VLANs, layer 2 switch security, AAA with TACACS and RADIUS, HSRP, VRRP, GLBP

Knowing this, lets look at some cost effective hardware that you can use to work with all these technologies for the test.

So from my research,  here are my recommendations :

Distribution Switches:

3550 Seriers-

untitledThis is the best option for those with a small budget. The 3550’s are end of life with Cisco which makes the cost on these pretty low. You can get them with Power over Ethernet (PoE) to also help with learning about how to configure access ports for wireless access points. All your exam objectives can be down with this switch. Also the small 1u form factor is small enough for your starter rack.

The upgrade and still relatively cost effective is the 3560 switch. These switches are still in support with Cisco until 2021.

Access Switches:

Catalyst 2960

This is the best option for those with a small budget. If you got this switch for your CCNA studies, then you are already set!

Image result for cisco 2960 switch

I recommend getting 2 of each. The SWITCH Lab uses a collapsed core model for the entire lab book.

2 core/distribution and 2 access

Here are some of the other items you need to get up and running:

Cables:

Ethernet (straight through & cross over) cables and a console cable.

Ethernet cables

You should also invest in the Cisco lab workbook.

CCNP SWITCH Lab Manual, 2nd Edition

As always do you research! Now that you have some experience under your belt, you are now re-enforcing your ability to research and procure the best hardware for you needs!

Places I buy equipment:

Ebay

Amazon

Cables and kits

 

My CCNP SWITCH Lab

IMAG0297[1]

3 x 2950’s  24Port Switches

2 x 3550 24 FE Ports, 2 GE Port Switches

Not in use:

2 x 2610 Routers with 2 WIC 1T serial cards

2 x 2610 XM Routers with 2 WIC-1T cards

Posted in Uncategorized
Archives

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 3 other followers

Mr Bart

Cisco certification and other topics

TTy BroadCast

A network engineer blog

ccdewiki

Cisco Certified Design Expert Study Guide

mrn-cciew

My CCIE Wireless Journey & More.....

PacketLife.net Blog

The path to becoming a fully realized network architect