Zenith Live 2018

Next week I will be attending Zenith Live.

Zenith Live is the 1st annual conference of Zscaler, a cloud-based security company. Zscaler provides network and internet security solutions using a security as a service model.

Taking place at The Cosmopolitan in Las Vegas, NV, the conference features a two-day training  for the Zscaler Cloud Transformation Specialist certification.

I look forward to sharing my experiences and lessons learned from the conference.

Check back next week!



Posted in Uncategorized

Building a Terminal Server

This build came about during my CCNA security studies. Having a total of 10 devices to configure, moving the console cable to each device was time consuming. The terminal server is a great tool for home labs and allows me to quickly switch to the next device.

First step was to do some hardware and software research. Using an older unsupported Cisco router like a 3620 works for me. However any router that has two Network Module (NM) slots is really what you need. For my lab I am going to start with 16 port Async network module (NM-16a) This module will give me the asynchronous ports which will talk to the console port of each network device.

Next step is to look at what devices I will add to the term server and which ones I will not. Because  I only purchased one 8-port octal cable, I am only going to console up 8 of the 10 total devices. I setup my routers and ASAs on the term server.

After getting the module and octal cable setup, I next need to setup the term server and device names.

This term server will get its first use in my CCNA Security Lab. I have the term server setup with my site to site VPN lab.



Posted in Skill Development

CCNA Security Home Lab

The CCNA SECURITY lab has most of its hardware roots from the routing and switching (R&S) track. You need one more piece of hardware if you already have 3 routers and 3 switches. Here is my input on finding the right hardware. I should note that these recommendations are based on my experience and outcomes.

Lets start with all the technologies that you must master for the CCNA Security:

Hash algorithms, digital signatures, certificates, Public Key Infrastructure (PKI), AAA, Adaptive Security Appliance (ASA), Virtual Private Networks (VPN), RADIUS , TACACS+, 802.1X, IPsecurity (IPSec), clientless SSL remote access VPN, AnyConnect SSL remote access VPN, IPsec site-to-site VPN on Cisco routers and ASA firewalls, Cisco IOS role-based CLI access, securing routing protocols, control plane policing, DHCP snooping, Dynamic ARP Inspection, L2 port security, BPDU guard, root guard, loop guard, private VLANs, Network address translation (NAT), Zone Based Firewalls(ZBF), , Intrusion Prevention System (IPS)

With this info, here are my recommendations :


Catalyst 2960

If you got this switch for your CCNA, CCNP SWITCH studies, then you are already set!

Image result for cisco 2960 switch

I recommend getting 3 of each. The switches are mostly used for practicing AAA concepts, 802.1X authentication, Cisco IOS role-based CLI access, and layer 2 security. These topics are on the CCNA and CCNP SWITCH exams, so lab work will be a review mostly.


2800 Series-

If you got this router for your CCNA, CCNP ROUTE studies, then you are already set!

Image result for cisco 2811 router

I recommend getting 3 of each. The 2800 is end of life, but is still supported by Cisco. It’s the best bang for the buck right now.  Like the switches, you will work on hash algorithms, digital signatures, certificates, Public Key Infrastructure, role based access, AAA, RADIUS, and TACACS+. The specific router topics you will master are: IPsec site-to-site VPN, routing protocol security, NAT, and ZBF. Make sure your are running the Advance Security code.

Security Appliance:

Cisco ASA 5505:



The Cisco Adaptive Security Appliance 5505 model is designed for small to medium size security solutions. The good news for those building home labs is this device is now going to be sunset by Cisco in a few years, so look for decommissioned enterprise units to become available on the re-seller market! I suggest getting 1 ASA  with a Security Plus license.

Here are some of the other items you need to get up and running:

Router Modules:

WAN Interface Cards (WIC)- For your routers to make serial connections. WIC -2T will give you enough connections for your router triangle. Get 3 of these.


Ethernet (straight through & cross over) cables and a console cable.

Serial cables for routing links. Use WIC-2T cables.

You should also invest in the Cisco lab workbook.

As always, do you research!


Places I buy equipment:



Cables and kits


My CCNA SECURITY Lab (phase 2)


2 x 2811 ISRs w 2 WIC-1T serial cards- enterprise edge routers

1 x 2610XM w/2 -WIC-1T serial cards – ISP router

3 x 2950 catalyst switches – LAN switches (1 installed)

3 x 2610  (using as end user test devices)

2 x 5505 (currently deployed as a firewall)

1 x 3620 router – (currently deployed as terminal server)

Not in use:


Posted in Certification, Skill Development

CCNA Security Prep

So after looking at the CCNP SWITCH, I figured I would look at the certification I am studying for: CCNA Security. It is known that this exam is a bit tougher than in the past.  Knowing this, I am focusing on doing more lab work for all topics.

Like the SWITCH exam, I reviewed the CCNA Security exam blueprint and the official lab book.  This research is to find out what is not covered in the Cisco lab book and my plan of attack to create or find other labs to help solidify knowledge on the topic areas in question. Sure enough, there is gap in covered exam objectives in the lab book.

Like the SWITCH exam, some topics may not have a lab as the topic may be only testing on your understanding of the topic (highlighted green). Some topics are ones where you need to understand how to configure, test, and troubleshoot (highlighted red). See below:

1.0 Security Concepts 12% 
1.1  Common security principles
1.1.a Describe confidentiality, integrity, availability (CIA)
1.1.b Describe SIEM technology
1.1.c Identify common security terms
1.1.d Identify common network security zones
1.4 Describe network topologies
1.4.a Campus area network (CAN)
1.4.b Cloud, wide area network (WAN)
1.4.c Data center
1.4.d Small office/home office (SOHO)
1.4.e Network security for a virtual environment

2.0 Secure Access 14%
2.1   Secure management
2.1.a Compare in-band and out-of band
2.1.b Configure secure network management
2.1.c Configure and verify secure access through SNMP v3 using an ACL
2.1.d Configure and verify security for NTP
2.1.e Use SCP for file transfer
2.2.d Explain the integration of Active Directory with AAA
2.2.e Describe authentication and authorization using ACS and ISE
2.3 802.1X authentication
2.3.a   Identify the functions 802.1X components
2.4 BYOD
2.4.a Describe the BYOD architecture framework
2.4.b Describe the function of mobile device management (MDM)

3.0 VPN 17%
3.1  VPN concepts
3.1.a Describe IPsec protocols and delivery modes (IKE, ESP, AH, tunnel mode, transport mode)
3.1.b Describe hairpinning, split tunneling, always-on, NAT traversal
3.2 Remote access VPN
3.2.e Identify endpoint posture assessment

4.0 Secure Routing and Switching 18% 
4.1 Security on Cisco routers
4.1.a Configure multiple privilege levels
4.1.b Configure Cisco IOS role-based CLI access
4.1.c Implement Cisco IOS resilient configuration
4.2 Securing routing protocols
4.2.a Implement routing update authentication on OSPF
4.3 Securing the control plane
4.3.a Explain the function of control plane policing
4.4 Common Layer 2 attacks
4.4.a Describe STP attacks
4.4.b Describe ARP spoofing
4.4.c Describe MAC spoofing
4.4.d Describe CAM table (MAC address table) overflows
4.4.e Describe CDP/LLDP reconnaissance
4.4.f Describe VLAN hopping
4.4.g Describe DHCP spoofing
4.6 VLAN security
4.6.a Describe the security implications of a PVLAN
4.6.b Describe the security implications of a native VLAN

5.0 Cisco Firewall Technologies 18%
5.1  Describe operational strengths and weaknesses of the different firewall technologies
5.1.a Proxy firewalls
5.1.b Application firewall
5.1.c Personal firewall
5.2 Compare stateful vs. stateless firewalls
5.2.a Operations
5.2.b Function of the state table
5.3 Implement NAT on Cisco ASA 9.x
5.3.a Static
5.3.b Dynamic
5.3.c PAT
5.3.d Policy NAT
5.3 e Verify NAT operations
5.4 Implement zone-based firewall
5.4.b Self zone
5.5 Firewall features on the Cisco Adaptive Security Appliance (ASA) 9.x
5.5.g Describe security contexts
5.5.h Describe firewall services

7.0 Content and Endpoint Security 12% 
7.1  Describe mitigation technology for email-based threats
7.1.a SPAM filtering, anti-malware filtering, DLP, blacklisting, email encryption
7.2 Describe mitigation technology for web-based threats
7.2.a Local and cloud-based web proxies
7.2.b Blacklisting, URL filtering, malware scanning, URL categorization, web application filtering, TLS/SSL decryption
7.3  Describe mitigation technology for endpoint threats
7.3.a Anti-virus/anti-malware
7.3.b Personal firewall/HIPS
7.3.c Hardware/software encryption of local data
This list is not 100% accurate as I am using the table of contents as a reference. However, seeing a lot of exam objectives that need to you to know the commands and output leads me to believe that supplementation is needed.

Posted in Certification


While preparing for this weekend’s CCNP study group session, I reviewed the CCNP switch exam blueprint and the official lab book. I noticed a major gap in covered exam objectives in the lab book.  Having passed the CCNP SWITCH exam, I wanted to share with my study group colleagues what is not covered in the Cisco lab book and what we should do to create or find other labs to help solidify knowledge on the topic areas in question.

Now some topics may not have a lab as the topic may be only testing on your understanding of the topic (highlighted green). Some topics are ones where you need to understand how to configure, test, and troubleshoot (highlighted red). See below:

1.1 Configure and verify switch administration
1.1.a SDM templates
1.1.b Managing MAC address table
1.1.c Troubleshoot Err-disable recovery

1.2 Configure and verify Layer 2 protocols
1.2.a CDP, LLDP
1.2.b UDLD

1.5.d EtherChannel misconfiguration guard

1.6 Configure and verify spanning tree
1.6.c PortFast, BPDUguard, BPDUfilter
1.6.d Loopguard and Rootguard

1.7 Configure and verify other LAN switching technologies
1.7.a SPAN

1.8 Describe chassis virtualization and aggregation technologies
1.8.a Stackwise

2.1 Configure and verify switch security features
2.1.a DHCP snooping
2.1.b IP Source Guard
2.1.c Dynamic ARP inspection
2.1.e Private VLAN
2.1.f Storm control

2.2 Describe device security using Cisco IOS AAA with TACACS+ and RADIUS
2.2.a AAA with TACACS+ and RADIUS
2.2.b Local privilege authorization fallback

This list is not 100% accurate as I am using the table of contents as a reference. However, seeing a lot of exam objectives that need to you to know the commands and output leads me to believe that supplementation is needed.

The official lab book also has some topics that are not mentioned in the exam blueprint:

Chapter 5: InterVLAN Routing
Lab 5-1 Inter-VLAN Routing
Lab 5-2 DHCP
Chapter 7: Network Management
Lab 7-1 Synchronizing Campus Network Devices using Network Time Protocol (NTP)
Lab 7-2 Configure Campus Network Devices to Support Simple Network Management Protocol (SNMPv3)
Chapter 8: Switching Features and Technologies
Lab 8-1 IP Service Level Agreements and Remote SPAN in a Campus Environment

Posted in Certification

The ASA is here!

It took some time to find one, but I have got a Cisco ASA5505!


This ASA comes with the Security License.  Now I can start working on my CCNA security firewall labs!

Tagged with:
Posted in Certification

The end of an era…

The count down to the end of the Cisco ASA 5505 has begun. Announced in late February, the baseline security device will be retired in 2022. So if you are studying for the CCNA Security, get your ASA now! I sure cost of the ASA will start to go down, making this hardware a easier pickup for the home labs.


Cisco ASA 5505 End of Sale Announcement 

Posted in Cisco Rants

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 691 other followers

Mr Bart

Cisco certification and other topics

TTy BroadCast

A network engineer blog


My CCIE Wireless Journey & More.....

PacketLife.net Blog

The path to becoming a fully realized network architect