It’s time to start working on re-certification.  Hooray.   Thank goodness I only have to pass the written and not the lab!  Unfortunately, I’m pretty rusty.  I’ve been doing a very different job for some time and my Security-fu is suboptimal, to put it mildly.

So far, I’ve been less-than-dilligently reading Yusuf Bhaiji’s latest CCIE Security Book, Network Security Technologies and Solutions (CCIE Professional Development Series), but now it’s time to break out the equipment again.

Maybe you’re in the same boat, or maybe you’re just getting started.  Either way, the first thing you need is a switch; a clean switch, in fact, so that old configs don’t get in your way.

To this end, I grabbed my trusty 24 port 2900xl and fired it up.  It had all sorts of config on it, but that was easily blown away:

2900xl#write erase
Erasing the nvram filesystem will remove all files! Continue? [confirm]
[OK]
Erase of nvram: complete
2900xl#reload
Proceed with reload? [confirm]

The cleaning doesn’t end there, though.  We can’t forget about all those pesky VLANs that made so much sense once upon a time:

2900xl#sho vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9, Fa0/10, Fa0/11, Fa0/12,
Fa0/13, Fa0/14, Fa0/15, Fa0/16,
Fa0/17, Fa0/18, Fa0/19, Fa0/20,
Fa0/21, Fa0/22, Fa0/23, Fa0/24
100  100_lab_vlan                     active
101  101_lab_vlan                     active
102  102_lab_vlan                     active
110  110_lab_vlan                     active
111  111_lab_vlan                     active
113  113_lab_vlan                     active
120  AAA_lab_vlan                     active
121  R1_lab_vlan                      active
122  R2_lab_vlan                      active
123  R3_lab_vlan                      active
124  R4_lab_vlan                      active
125  125_lab_vlan                     active

Look at them all.  I’ve got no use for them now, so lets get rid of them.   We could delete them one at a time…

2900xl#vlan da
2900xl(vlan)#no vlan 100
Deleting VLAN 100...


…but there are so many.  Even more than the ones in the excerpt above.  Killing them one at a time would take forever.  So, what do we do now?  Let’s delete all the vlans at once!

2900xl#del vlan.dat
Delete filename [vlan.dat]?
Delete flash:vlan.dat? [confirm]
2900xl#

Once we delete vlan.dat the switch will forget about all those crusty old VLANs from the last time the switch was used.   One reload later and we’ve got that new switch smell back:

2900xl>sho vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9, Fa0/10, Fa0/11, Fa0/12,
Fa0/13, Fa0/14, Fa0/15, Fa0/16,
Fa0/17, Fa0/18, Fa0/19, Fa0/20,
Fa0/21, Fa0/22, Fa0/23, Fa0/24
1002 fddi-default active

Now we’re ready to get studying. Good luck!

So I didnt write daily on the bootcamp. Sorry bout that. I’ll try to sum it up here. Day 3 consisted of AAA, this was fairly uneventful. AAA is fairly straight forward anyways. I spent most of my time trying to catch up on the VPN portion of the lab which was the largest part. I was never able to get SSL VPN configured on the router. I think there was some type of bug or something because I was able to get the login screen, and log in successfully but could not do anything else. I also could not define a svc image for some reason. SSL VPN for IOS will definitely be on the list of things for me to work on. Day 4 was combination of IPS, Network attacks and IOS Proxy Auth. I may not be 100% right on that. This is all stuff I have blogged about in the past and over all felt familiar with the material and the configuration portion of these topic. Day 5 was review and random topics including lab strategy.

Was it worth it? Yeah, I think so. It was kind of expensive and I mainly spent time doing the lab work but I really needed this time. It has been hard finding the motivation at home or even having the time at home to get prep work done with the kids, wife and everything else. Like I said before, I think the class format would be more beneficial to work through things as a group. Some of my class mates were behind in the lab work. It would be good to review material, do the lab and then review the results. See what people got wrong and why. I think this would allow everyone to learn a bit more.
…click here to read more

Day 2 is complete. The main focus was all things VPN. We discussed Site to Site VPN, Remote access VPN, GET VPN and DMVPN. We also talked about applying QoS to the VPN tunnel. I spent some time trying to catch up in lab work from the previous days firewall portion. Not having a whole lot of experience with zone based firewall made this section take longer than expected although I feel much more comfortable with the topic and configuration now. I think this is something I will focus on in the next few weeks.

I probably wont get too technical during these posts but will mainly talk about my experience during the lab. If I get any really good info, then I’ll post it when I can. Day 2 of the lab went well overall. The lecture portion was good. I tried to pay attention to the areas that I know I need work on such as GET VPN or QoS with VPN. When it was lab time I hit a few snags. I configured a IOS to ASA tunnel using certificates. On the IOS router I had the wrong enrollment URL so I had problems authenticating the CA. Once I fixed this I still had a snag. I kept getting a failure message when trying to authenticate. I was able to telnet to the CA server on port 80 so I knew that the TCP flow was ok. I checked the CA server and found that the mscep.dll file was missing. This kind of got me thinking the install was corrupt somehow. The class instructor copied the file from a different server but still was a no go. We ended up rebuilding the server twice which was a painless process but was time consuming. Once the server was rebuilt and working as expected obtaining the certificate went without a hitch.

So far everything has gone well. A few sections were missing out of my binder and one of the guys in the class did not even get one. This wasn’t the instructors fault because this stuff was shipped in advance but not what I would expect for the price of the class. Today is Day 3 and we are covering AAA. This is one of my strong areas so looking forward to finishing up the VPN sections I couldn’t finish yesterday due to the problems with the server.