Sometimes people can be so dumb

I am a member of the IPExpert Routing and Switching Facebook page, and yesterday someone posted a message there (this is IPExpert - this part is important), asking for the password to an INE Service Provider v3 video TORRENT.

facepalm

I don't normally get involved, but it was too good an opportunity to miss, so I replied that the password was DuMbA55, another guy on there, Edgar, played along, and "corrected" it to DuMbA5$. Security is important, right!

I checked back a couple of times and didn't see any reply from the original requester. Then just now, this was posted by Edgar:

Don't ask for INE torrents on IPExperts page


Yep.

Yep. Hook line and sinker.

I won't publish the name, I'll just leave these here.

Brick idiot

idiot


How much WSA knowledge do you need for the CCIE Security? Setting up WCCP on WSA

I am slowly starting to get to grips with the WSA, the System Setup Wizard crashes out at the same place everytime, but I seem to be making my way around that.

Anyway, I have been thinking about how much you actually need to know about the WSA in the written and lab exams, and I don't think it's a huge amount.

Having a look at the written exam topics, its very brief:

5.14 Cisco Web Security Appliance and Cisco Email Security Appliance

As for the lab, well, that's a little more concise:
  • 3.3 Cisco WSA
  • 3.3.a Implement WCCP
  • 3.3.b Active Directory integration
  • 3.3.c Custom categories
  • 3.3.d HTTPS configuration
  • 3.3.e Services configuration (web reputation)
  • 3.3.f Configure proxy bypass lists
  • 3.3.g Web proxy modes
  • 3.3.h Application visibility and control
The WCCP thing goes together with configuring on a router or firewall endpoint, we'll come back to AD integration in a moment, but then we have custom categories, HTTPS and the rest of it - all of which are very much point and click.
So, let's return to AD.

Here's where the confusing part is. Have a look at the software versions for the v4 CCIE Security:
  • Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
  • Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE
  • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x
  • Cisco IPS Software Release 7.x
  • Cisco VPN Client Software for Windows, Release 5.x
  • Cisco Secure ACS System software version 5.3x
  • Cisco WLC 2500 Series software 7.2x
  • Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
  • Cisco WSA S-series software version 7.1x
  • Cisco ISE 3300 series software version 1.1x
  • Cisco NAC Posture Agent v4.X
  • Cisco AnyConnect Client v3.0X
There is a notable exception, and that is any form of Windows server.

This does limit down what is required, and puts the onus back onto locally created accounts, and puts greater weight on configuring WCCP.

While I appreciate that only someone who has actually sat the CCIE Security exams can confirm/deny this, I also appreciate that in doing so they would be in danger of breaking an NDA, but it would be good to find out if I am right or not! Feel free to comment below.

Setting up WCCP is very straight forward on the WSA.

Let's do this.

So I have my VM running inside of UNetLab, and it points me to use the System Setup Wizard.

We start off with the basics, like hostname and DNS:

Cisco WSA basic configuration for CCIE Security

Next we tell it where it is in the network (i.e. behind another proxy or not)


Cisco WSA basic configuration for CCIE Security

Then I configure the IP addresses:

Cisco WSA basic configuration for CCIE Security

Then this happens, everytime.

Cisco WSA basic configuration for CCIE Security


Switching to the console and grepping the gui log (type in "grep" and it will list the files you can read, and select by the number), it shows the following:
Critical: An application fault occurred: ('system_setup/wsassw_network_proxy.py process|290', "", "'Management'", '[util/Aquarium.py screenLoop|409] [util/InternalLibrary.py inverseExtend|328] [util/InternalLibrary.py __call__|746] [screen/Controller.py __call__|25] [util/InternalLibrary.py __call__|746] [screen/CommonController.py __call__|57] [util/InternalLibrary.py __call__|746] [screen/AppController.py __call__|191] [util/InternalLibrary.py __call__|748] [system_setup/wsassw_network_proxy.py __call__|33] [screen/WizardStep.py __call__|16] [screen/WizardStep.py callWizard|8] [system_setup/wsassw_wizard.py __call__|103] [screen/Wizard.py __call__|59] [screen/WizardStep.py run|21] [screen/Controller.py executeAction|67] [screen/WizardStep.py doNextAction|52] [screen/WizardStep.py validateAndProcess|79] [system_setup/wsassw_network_proxy.py process|290]')
No idea what that is all about.

Anyway, once you return to the default screen, you can click on Commit changes, and it seems pretty solid.

So moving on (with fingers crossed), WCCP can be set up in a few steps.

From the Network menu, select Transparent redirection:

Cisco WSA WCCP configuration

The default will be an L4 device, so change it to WCCP v2 router, and then you can click on Add Service:

Cisco WSA WCCP configuration

Fill in the boxes, giving it a profile name, either selecting the standard service (where you'll have to refer to it as "web-cache" in the router), or give it a service ID. Set the port numbers, and IP address of the WCCP router (very important), and if you want, set a password for the service. I am using "wsawccp" as the password.

Cisco WSA WCCP configuration

Once done, it'll appear in the WCCP v2 Services list:

Cisco WSA WCCP configuration

Commit the changes:

Cisco WSA WCCP configuration

All looks good.

Cisco WSA WCCP configuration

This is however only half the story, we need to set up the ASA for the service though.

I'll cover that in a different post.

Running ZeroShell in UNetLab

Props to my man Courtney for turning me onto this nice little linux distro. It's called ZeroShell and it does a tonne of cool stuff. Ideal for the CCIE Security lab, if resources are an issue. It will run happily on a 5GB harddisk, and hardly uses any resources when resting.

So, do you want a full list of ZeroShell's capabilities? Of course you do. It will do:
  • Load balancing & failover over multiple internet connections
  • RADIUS server (802.1x, EAP-TLS, EAP-TTLS, PEAP
  • Captive portal for wired and wireless clients
  • QoS
  • HTTP proxy
  • VPN
  • RIPv2
  • STP
  • 802.1Q
  • NAT
  • Multi-zone DNS
  • DHCP
  • LDAP integration
It's got a lot of cool features. Check it out over at http://www.zeroshell.org/.

So anyway, Courtney said he was going to document how to get it running on GNS3, and I thought it would be cool to try it out on UNetLab.

I started by creating a folder called win-zeroshell under /opt/unetlab/addons/qemu/ - it's got to be called win- at the moment, until a linux- template is fixed up. I then copied the latest ISO there. Then I created a 5G disk, and ran the wrapper.
root@unl01:~# cd /opt/
root@unl01:/opt# cd unetlab/
root@unl01:/opt/unetlab# cd addons/
root@unl01:/opt/unetlab/addons# cd qemu/
root@unl01:/opt/unetlab/addons/qemu# cd win-zeroshell/
root@unl01:/opt/unetlab/addons/qemu/win-zeroshell# ls
ZeroShell-3.3.2.iso
root@unl01:/opt/unetlab/addons/qemu/win-zeroshell# mv ZeroShell-3.3.2.iso cdrom.iso
root@unl01:/opt/unetlab/addons/qemu/win-zeroshell# /opt/qemu/bin/qemu-img create -f qcow hda.qcow2 5G
Formatting 'hda.qcow2', fmt=qcow size=5368709120 encryption=off
root@unl01:/opt/unetlab/addons/qemu/win-zeroshell# ls
cdrom.iso  hda.qcow2
root@unl01:/opt/unetlab/addons/qemu/win-zeroshell# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
root@unl01:/opt/unetlab/addons/qemu/win-zeroshell#
I then added a new node to a test lab I had on the go, and fired it up. Once connected via VNC, you can then install it to the harddrive, by selecting option A from the menu:

Running ZeroShell in UNetLab

The install is straight forward, pretty much just accept all the defaults.

Once the install is done, shut it down, and then rename the cdrom.iso file to something else - otherwise it'll boot from the cdrom.

Once done, fire it up again. I created a 5GB disk for it, and it is only using a fraction of that:

Running ZeroShell in UNetLab

The actual topology is very simple:

Running ZeroShell in UNetLab
Once the Windows box is on the same subnet, we can access the web gui. Forgive the crappy colors:

Running ZeroShell in UNetLab

There you go, really quick to set up and loads of features. It'll do X.509 certificates, a little easier than setting this up on a Windows server, and whilst the GUI certainly wont win any prizes for the most attractive interface, who want's style over substance?

This certainly has all the ingredients.

Edit: Here is a link to Courtney's video. Please check it out. Or view the video here:


CCIE Security lab: Active Directory domain setup

This is a bit of a jump, I had originally planned to concentrate on the upper part of the topology, but this is just a quick post, as I set up a core component - the Active Directory server. This will be needed for authenticating to devices, website access through proxy rules, and a whole bunch of other stuff.

One of the things I love about UNetLab is that you can create a folder, chuck in a cdrom.iso file, create a harddisk, and it will install (OK, for the most-part. Windows 10 doesn't seem happy yet) - but I can quickly roll out my AD server.
root@unl01:/opt/unetlab/addons/qemu# mkdir win-2008R2
root@unl01:/opt/unetlab/addons/qemu# cd win-2008R2/
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls
2008.R2.SP1.iso
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# mv 2008.R2.SP1.iso cdrom.iso
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls
cdrom.iso
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# /opt/qemu/bin/qemu-img create -f qcow2 hda.qcow2 40G
Formatting 'hda.qcow2', fmt=qcow2 size=42949672960 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls
cdrom.iso  hda.qcow2
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# ls -lah
total 3.3G
drwxr-xr-x  2 root root 4.0K Aug 13 09:58 .
drwxr-xr-x 36 root root 4.0K Aug 13 09:49 ..
-rwx------  1 root root 3.3G Aug 13 09:56 cdrom.iso
-rw-r--r--  1 root root 193K Aug 13 09:58 hda.qcow2
root@unl01:/opt/unetlab/addons/qemu/win-2008R2# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
root@unl01:/opt/unetlab/addons/qemu/win-2008R2#
You don't magically get the ISO file once you create the folder, I copied it over using FileZilla. Renamed it to cdrom.iso, created a 40G harddisk, and ran the wrapper.
Install starts:

Windows 2008R2 running in UNetLab

After a while, a few clicks of "next" and the install is completed, and I can start the AD installation. Running Windows 2008 R2 on UNetLab really is that easy:

Windows 2008R2 running in UNetLab

I have given this server, which will be my primary AD box the IP address 192.168.10.13, which means that I have also added another component to my internal network structure - the 192.168.10.0/24 network.

So why did I use this particular address? Well, it's a geek thing - if you can work it out then you win 10 points*.

Windows 2008R2 running in UNetLab

I have used CCIELAB as the AD domain as it wouldn't let me use 802101.local. :(

OK, so now let's add this bit of the network (vlan 10) to the switches.

It really doesn't make sense that as I go forward I add each VLAN to each switch, so let's set up VTP on SW3 and SW4
SW3(config)#vtp domain CCIELAB
Changing VTP domain name from NULL to CCIELAB
SW3(config)#vtp pass ccielab
Setting device VTP password to ccielab
SW3(config)#vtp mode ser
Device mode already VTP Server for VLANS.
SW3(config)#vtp ver 2
SW3(config)#

SW4(config)#vtp dom CCIELAB
Domain name already set to CCIELAB.
SW4(config)#vtp mo cli
Setting device to VTP Client mode for VLANS.
SW4(config)#vtp pass ccielab
Setting device VTP password to ccielab
SW4(config)#

SW3(config)#vlan 10
SW3(config-vlan)#name AD VLAN
SW3(config-vlan)#exi
SW3(config)#int vlan 10
SW3(config-if)#ip add 192.168.10.1 255.255.255.0
SW3(config-if)#no sh
SW3(config)#int gi 2/2
SW3(config-if)#swi mode acc
SW3(config-if)#swi acc vl 10
SW3(config-if)#exi
SW3(config)#

SW4(config)#do sh vlan bri

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
                                                Gi1/2, Gi1/3, Gi2/0, Gi2/1
                                                Gi2/2, Gi2/3, Gi3/1, Gi3/2
                                                Gi3/3
10   AD VLAN                          active    
42   VLAN0042                         active    Gi1/0, Gi1/1
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 
SW4(config)#do sh int trun

Port        Mode             Encapsulation  Status        Native vlan
Gi3/0       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi3/0       1-4094

Port        Vlans allowed and active in management domain
Gi3/0       1,10,42

Port        Vlans in spanning tree forwarding state and not pruned
Gi3/0       1,10,42
SW4(config)#
What we need now, in the words of my children, is some peoples to play with. I will need at least two user accounts, and two security groups.

UserA will be an admin for all things, he'll have access to the routers and ASAs, the switches, all the websites, and everything you can think of. UserA will be in the Admins group.

UserB will not have the same level of access, it will have access to one website, but not another - still not sure where these websites will be, exactly, but we'll cross that bridge when we come to it. UserB won't have admin access to the routers, ASAs etc, and I am sure I can find some other ways to be Captain Buzzkill for this imaginary user!

Scripting is a bit more interesting than screenshots, it also makes it easier to cut and paste if you are following along at home.

First we need to create an OU (called Staff), and two users (UserA and UserB):
dsadd ou "ou=Staff, dc=CCIELAB, dc=local"
dsadd user "cn=UserA, ou=Staff, dc=CCIELAB, dc=local"
dsadd user "cn=UserB, ou=Staff, dc=CCIELAB, dc=local"
Now we are going to create an OU (called RBAC), and add a couple of groups to it (Admins and Basic):
dsadd ou "ou=RBAC, dc=CCIELAB, dc=local"
dsadd group cn=Admins,ou=RBAC,dc=CCIELAB,dc=local
dsadd group cn=Basic,ou=RBAC,dc=CCIELAB,dc=local
Users need passwords, and they need to be activated, so lets do this:
dsmod user "CN=UserA,OU=Staff,DC=CCIELAB,DC=local" -pwd Cisco123! -mustchpwd no
dsmod user "CN=UserB,OU=Staff,DC=CCIELAB,DC=local" -pwd Cisco123! -mustchpwd no
dsmod user "CN=UserA,OU=Staff,DC=CCIELAB,DC=local" -disabled no
dsmod user "CN=UserB,OU=Staff,DC=CCIELAB,DC=local" -disabled no
Lastly, let's add then to the RBAC groups:
dsmod group cn=Admins,ou=RBAC,dc=CCIELAB,dc=local -addmbr CN=UserA,OU=Staff,DC=CCIELAB,DC=local
dsmod group cn=Basic,ou=RBAC,dc=CCIELAB,dc=local -addmbr CN=UserB,OU=Staff,DC=CCIELAB,DC=local
A quick check on the GUI and we can confirm that the users are where they should be:

Windows 2008R2 running in UNetLab

Although I do seem to be jumping around the topology a tad, this was more of a side-step. But doing quick things like this earlier on, will allow a more rapid approach later. It also helps me plan how the network will run, from both the top-down (IP addressing) and bottom-up (services and integration).

I hope. That's the plan at least.

802101 point system All points awarded on 802101.com are purely for entertainment value and do not represent any physical currency. They can be redeemed against an odd assortment of things I might have lying around, or I'll buy you a drink if I happen to bump into you.
CCIE Security Lab, Part 2 - MPLS Core

CCIE Security Lab, Part 2 - MPLS Core

Today the fun starts, as I will start by building up the MPLS core, which will serve as the connecting element between the three/four sites in the topology.

R1 will be the provider router, R2, R3, and Prov1 will be the PE routers. So I'll quickly go through the basic IP connectivity, IGP (OSPF), MPLS and BGP configuration, before looking at the best way to secure the individual components.

If you are not familiar with MPLS, then please go and buy my book; MPLS for Cisco Networks. It is a good place to start learning MPLS and covers, in much more depth, the stuff I will whizz through.

Just to re-iterate previous post, I won't be dwelling on MPLS security. It's not explicitly stated on the blueprint, and it does not feature on the INE workbook either. Which means its a pretty good bet that it won't feature in the exam.

Let's start with the basic IP configuration:
R1(config)#int gi 0/0
R1(config-if)#desc Connection to R2
R1(config-if)#ip add 134.20.1.1 255.255.255.252
R1(config-if)#no shu
R1(config-if)#do ping 134.20.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 134.20.1.2
.!!!!
Success rate is 80 percent (4/5)
R1(config-if)#int gi 0/1
R1(config-if)#desc Link to R3
R1(config-if)#ip add 134.20.1.5 255.255.255.252
R1(config-if)#no shu
R1(config-if)#int gi 0/2
R1(config-if)#desc Link to Prov1
R1(config-if)#ip add 134.20.1.9 255.255.255.252
R1(config-if)#no shu
R1(config-if)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#int lo8
R1(config-if)#ip add 8.8.8.8 255.255.255.255
R1(config-if)#do ping 134.20.1.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 134.20.1.6
.!!!!
Success rate is 80 percent (4/5)
R1(config-if)#do ping 134.20.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 134.20.1.10
.!!!!
Success rate is 80 percent (4/5)
R1(config-if)#

R2(config)#int gi 0/0
R2(config-if)#desc Connection to R1
R2(config-if)#ip add 134.20.1.2 255.255.255.252
R2(config-if)#no shut
R2(config-if)#
R2(config-if)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.255
R2(config-if)#

R4(config)#int gi 0/1
R4(config-if)#desc Link to R1
R4(config-if)#ip add 134.20.1.6 255.255.255.252
R4(config-if)#no shu
R4(config-if)#
R4(config-if)#int lo0
R4(config-if)#ip add 4.4.4.4 255.255.255.255
R4(config-if)#

Prov1(config)#int gi 0/0
Prov1(config-if)#desc Link to R1
Prov1(config-if)#ip add 134.20.1.10 255.255.255.252
Prov1(config-if)#no shu
Prov1(config-if)#
Prov1(config-if)#int lo0
Prov1(config-if)#ip add 10.10.10.10 255.255.255.255
Prov1(config-if)#
I am going to use OSPF as my IGP, so let's configure that...
R1(config-if)#exi
R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 0.0.0.0 0.0.0.0 area 0
R1(config-router)#

R2(config-if)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 134.20.1.0 0.0.0.3 area 0
R2(config-router)#net 2.2.2.2 0.0.0.0 area 0
R2(config-router)#

R4(config-if)#router ospf 1
R4(config-router)#router-id 4.4.4.4
R4(config-router)#net 134.20.1.4 0.0.0.3 ar 0
R4(config-router)#net 4.4.4.4 0.0.0.0 a 0
R4(config-router)#

Prov1(config-if)#router ospf 1
Prov1(config-router)#router-id 10.10.10.10
Prov1(config-router)#net 134.20.1.10 0.0.0.0 a 0
Prov1(config-router)#net 10.10.10.10 0.0.0.0 a 0
Prov1(config-router)#

R1(config-router)#do sh ip ospf neigh

Neighbor ID     Pri  State     Dead Time Address     Interface
10.10.10.10       1  FULL/BDR  00:00:34  134.20.1.10 GigabitEthernet0/2
4.4.4.4           1  FULL/BDR  00:00:33  134.20.1.6  GigabitEthernet0/1
2.2.2.2           1  FULL/DR   00:00:37  134.20.1.2  GigabitEthernet0/0
R1(config-router)#
Because we are running OSPF, we can use the command "mpls ldp autoconfig":
R1(config-router)#mpls ldp autoconfig 
R1(config-router)#

R2(config-router)#mpls ldp autoconfig
R2(config-router)#

R4(config-router)#mpls ldp autoconfig
R4(config-router)#

Prov1(config-router)#mpls ldp autoconfig
Prov1(config-router)#

R1(config-router)#
%LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UP
%LDP-5-NBRCHG: LDP Neighbor 4.4.4.4:0 (2) is UP
%LDP-5-NBRCHG: LDP Neighbor 10.10.10.10:0 (3) is UP
R1(config-router)#
Following a couple of best practices, we really should hard-code our label switching method, and our LDP router-id. At the moment the R1 will be using 8.8.8.8 as it's router ID, whereas I want to use 1.1.1.1:
R1(config-router)#exi  
R1(config)#mpls label protocol ldp 
R1(config)#mpls ldp router-id lo0 force 
R1(config)#

R2(config-router)#mpls label protocol ldp
R2(config)#mpls ldp router-id lo0 force
R2(config)#

R4(config)#mpls label protocol ldp
R4(config)#mpls ldp router-id lo0 force
R4(config)#

Prov1(config-router)#mpls label protocol ldp
Prov1(config)#mpls ldp router-id lo0 force
Prov1(config)#
Now we can configure MP-BGP:
R2(config)#router bgp 1
R2(config-router)#bgp router-id 2.2.2.2
R2(config-router)#no bgp def ipv4-unicast 
R2(config-router)#neigh 4.4.4.4 remote 1
R2(config-router)#neigh 10.10.10.10 remote 1
R2(config-router)#neigh 4.4.4.4 update lo0
R2(config-router)#neigh 10.10.10.10 update lo0
R2(config-router)#address-family vpnv4 
R2(config-router-af)#neigh 4.4.4.4 activate
R2(config-router-af)#neigh 10.10.10.10 activ
R2(config-router-af)#neigh 4.4.4.4 send-community extended 
R2(config-router-af)#neigh 10.10.10.10 send-community extended 
R2(config-router-af)#

R4(config)#router bgp 1
R4(config-router)#bgp router-id 4.4.4.4
R4(config-router)#no bgp def ipv4
R4(config-router)#neigh 2.2.2.2 remote 1    
R4(config-router)#neigh 10.10.10.10 remote 1
R4(config-router)#neigh 2.2.2.2 update lo0
R4(config-router)#neigh 10.10.10.10 update lo0
R4(config-router)#add vpnv4
R4(config-router-af)#neigh 2.2.2.2 activ
R4(config-router-af)#neigh 10.10.10.10 activ
R4(config-router-af)#neigh 2.2.2.2 send-community extended 
R4(config-router-af)#neigh 10.10.10.10 send-community extended 
R4(config-router-af)#

Prov1(config)#router bgp 1
Prov1(config-router)#bgp router-id 10.10.10.10
Prov1(config-router)#no bgp def ipv4 
Prov1(config-router)#neigh 2.2.2.2 remote 1
Prov1(config-router)#neigh 4.4.4.4 remote 1
Prov1(config-router)#neigh 2.2.2.2 update lo0
Prov1(config-router)#neigh 4.4.4.4 update lo0
Prov1(config-router)#add vpnv4
Prov1(config-router-af)#neigh 2.2.2.2 activ
Prov1(config-router-af)#neigh 4.4.4.4 activ
Prov1(config-router-af)#neigh 2.2.2.2 send-comm ext
Prov1(config-router-af)#neigh 4.4.4.4 send-comm ext
Prov1(config-router-af)#

R2#sh bgp vpnv4 uni all sum
BGP router identifier 2.2.2.2, local AS number 1
BGP table version is 1, main routing table version 1

Neighbor      V  AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4       4  1       4       4        1    0    0 00:02:25        0
10.10.10.10   4  1      13      14        1    0    0 00:10:30        0
R2#

Prov1#sh bgp vpnv4 uni all sum
BGP router identifier 10.10.10.10, local AS number 1
BGP table version is 1, main routing table version 1

Neighbor      V  AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2       4  1      14      13        1    0    0 00:10:52        0
4.4.4.4       4  1       7       6        1    0    0 00:04:15        0
Prov1#
So far so good, now we need to set up our VRF. I will only be using one (at least for the moment):
R2(config)#ip vrf 802101
R2(config-vrf)#rd 1:1
R2(config-vrf)#route-target bo 1:1
R2(config-vrf)#

R4(config-router-af)#ip vrf 802101
R4(config-vrf)# rd 1:1
R4(config-vrf)# route-target export 1:1
R4(config-vrf)# route-target import 1:1
R4(config-vrf)#

Prov1(config)#ip vrf 802101
Prov1(config-vrf)# rd 1:1
Prov1(config-vrf)# route-target export 1:1
Prov1(config-vrf)# route-target import 1:1
Prov1(config-vrf)#
Next we need to assign the relevant interfaces to the VRF:
R2(config-vrf)#int gi 0/1
R2(config-if)#ip vrf for 802101
R2(config-if)#ip add 128.2.2.2 255.255.255.252
R2(config-if)#desc Link to R3
R2(config-if)#no shu
R2(config-if)#

R4(config-vrf)#int gi 0/0
R4(config-if)#ip vrf for 802101
R4(config-if)#ip add 198.240.5.1 255.255.255.252
R4(config-if)#desc Link to CUSTFW01
R4(config-if)#no shu               
R4(config-if)#

Prov1(config-vrf)#int gi 0/1
Prov1(config-if)#ip vrf for 802101          
Prov1(config-if)#ip add 10.1.1.1 255.255.255.0
Prov1(config-if)#desc Link to ProvSW
Prov1(config-if)#no shu
Prov1(config-if)#
And finally we add the VRF to BGP:
R2(config-if)#router bgp 1
R2(config-router)#add ipv4 vrf 802101
R2(config-router-af)#

R4(config-if)#router bgp 1
R4(config-router)#add ipv4 vrf 802101
R4(config-router-af)#

Prov1(config)#router bgp 1
Prov1(config-router)#add ipv4 vrf 802101
Prov1(config-router-af)#
When we look at adding the sites together, we'll need to do redistribution between R3 and R2, CUSTFW01 and R4, and our HQ ASAs and the provider (Prov1), but it is not the intention to go that far just yet. Instead we'll now look at how we can secure the MPLS environment.

So, what can we, or should we secure? Our biggest danger, as it currently stands, is that someone could plug a router into the network, and it would not take them long to form an adjacency with us on OSPF or LDP. To gain access to BGP then they would have to perform some kind of man-in-the-middle attack and place themselves on the connecting wire - i.e. between R1 and R2, and then they would have to impersonate R2. This could easily be done through packet sniffing initially.

The simplest way in which we can protect ourselves is to implement some passwords. We will do this first on R2, below, and we can see that adding a password on it's own is good, but clearly not foolproof - if you gain access to the router, or to the configuration backups, then you can see that the password is stored in cleartext, unless you enable "service password-encryption":
R2(config)#router bgp 1
R2(config-router)#neigh 4.4.4.4 password 0 802101-Secrets
R2(config-router)#do sh run | i password
no service password-encryption
 neighbor 4.4.4.4 password 802101-Secrets
R2(config-router)#service password-encryption
R2(config)#do sh run | i password     
service password-encryption
 neighbor 4.4.4.4 password 7 135D47405A5C556718212B21303600
R2(config)#router bgp 1
R2(config-router)#neigh 10.10.10.10 password 0 802101-Secrets
R2(config-router)#do sh run | i password
service password-encryption
 neighbor 4.4.4.4 password 7 135D47405A5C556718212B21303600
 neighbor 10.10.10.10 password 7 154A5B5E557A7A691B363630161305
R2(config-router)#

R4(config)#router bgp 1
R4(config-router)#neigh 2.2.2.2 password 802101-Secrets
R4(config-router)#neigh 10.10.10.10 password 802101-Secrets
R4(config-router)#service password-encryption
R4(config)#

Prov1(config)#router bgp 1
Prov1(config-router)#neigh 2.2.2.2 password 802101-Secrets
Prov1(config-router)#neigh 4.4.4.4 password 802101-Secrets
Prov1(config-router)#service password-encryption
Prov1(config)#
Let's turn our attention to our MPLS configuration. We are not done with BGP security completely, we'll revisit it in a later post, where we'll look at ttl-security, which can only be done through eBGP peers.

We can do a number of things to secure our MPLS configuration from prying eyes. We can set a restriction on the route target values that we will import (and export):
R2(config)#ip extcommunity-list 101 permit RT:1:1
R2(config)#route-map ImportMap perm 10
R2(config-route-map)#match extcommunity 101
R2(config-route-map)#exit
R2(config)#route-map ExportMap perm 10
R2(config-route-map)#match extcommunity 101
R2(config-route-map)#ip vrf 802101
R2(config-vrf)#export map ExportMap
R2(config-vrf)#import map ImportMap
R2(config-vrf)#

R4(config)#ip extcommunity-list 101 permit RT:1:1
R4(config)#route-map ImportMap perm 10
R4(config-route-map)#match extcommunity 101
R4(config-route-map)#route-map ExportMap perm 10
R4(config-route-map)#match extcommunity 101
R4(config-route-map)#ip vrf 802101
R4(config-vrf)#export map ExportMap
R4(config-vrf)#import map ImportMap
R4(config-vrf)#

Prov1(config)#ip extcommunity-list 101 permit RT:1:1
Prov1(config)#route-map ImportMap perm 10
Prov1(config-route-map)#match extcommunity 101
Prov1(config-route-map)#route-map ExportMap perm 10
Prov1(config-route-map)#match extcommunity 101
Prov1(config-route-map)#ip vrf 802101
Prov1(config-vrf)#export map ExportMap
Prov1(config-vrf)#import map ImportMap
Prov1(config-vrf)#
The extended community list will match our route target (1:1), and permit it. The default deny rule will catch anything else, and this is then applied inbound and outbound to our VRF.

We can also set an LDP neighbor password. This is done below, and password encryption is turned on:
R1(config)#mpls ldp neigh 4.4.4.4 password 0 80201-Secret
R1(config)#mpls ldp neigh 2.2.2.2 password 0 80201-Secret
R1(config)#mpls ldp neigh 10.10.10.10 password 0 80201-Secret
R1(config)#do sh run | i password
no service password-encryption
mpls ldp neighbor 4.4.4.4 password 80201-Secret
mpls ldp neighbor 2.2.2.2 password 80201-Secret
mpls ldp neighbor 10.10.10.10 password 80201-Secret
R1(config)#service password-encryption
R1(config)#do sh run | i password     
service password-encryption
mpls ldp neighbor 4.4.4.4 password 7 135D47405B5D49192E273A3621
mpls ldp neighbor 2.2.2.2 password 7 025E54095B574212494D1B1C11
mpls ldp neighbor 10.10.10.10 password 7 04035B545F70017D0C1A171206
R1(config)#

R2(config)#mpls ldp neighbor 1.1.1.1 password 0 802101-Secret 
R2(config)#

R4(config-vrf)#mpls ldp neighbor 1.1.1.1 password 0 802101-Secret
R4(config)#

Prov1(config-vrf)#mpls ldp neighbor 1.1.1.1 password 0 802101-Secret
Prov1(config)#
Another best practice is to "hide" our MPLS network from our CE devices (should they do a trace route), the below command will do this:
R1(config)#no mpls ip propagate-ttl 
R1(config)#
OSPF, similarly, can be password protected using MD5, this will have the immediate effect of the OSPF speakers losing their adjacencies, but I have omitted those messages:
R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest 
R1(config-router)#int gi 0/0
R1(config-if)#ip ospf authentication message-digest 
R1(config-if)#ip ospf message-digest-key 1 md5 0 802101-Secret
R1(config-if)#int g0/1
R1(config-if)#ip ospf authentication message-digest 
R1(config-if)#ip ospf message-digest-key 1 md5 0 802101-Secret
R1(config-if)#int gi 0/2
R1(config-if)#ip ospf authentication message-digest    
R1(config-if)#ip ospf message-digest-key 1 md5 0 802101-Secret
R1(config-if)#

R2(config)#router ospf 1
R2(config-router)#area 0 authentication message-digest
R2(config-router)#int gi 0/0
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 0 802101-Secret
R2(config-if)#
%OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on GigabitEthernet0/0 from LOADING to FULL, Loading Done
R2(config-if)#

R4(config)#router ospf 1
R4(config-router)#area 0 authentication message-digest
R4(config-router)#int gi 0/1
R4(config-if)#ip ospf authentication message-digest
R4(config-if)#ip ospf message-digest-key 1 md5 0 802101-Secret
R4(config-if)#
%OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Done
R4(config-if)#

Prov1(config)#router ospf 1
Prov1(config-router)#area 0 authentication message-digest
Prov1(config-router)#int gi 0/0
Prov1(config-if)#ip ospf authentication message-digest
Prov1(config-if)#ip ospf message-digest-key 1 md5 0 802101-Secret
Prov1(config-if)#
%OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on GigabitEthernet0/0 from LOADING to FULL, Loading Done
%BGP-5-NBR_RESET: Neighbor 4.4.4.4 active reset (BGP Notification sent)
%BGP-5-ADJCHANGE: neighbor 4.4.4.4 Up 
%BGP-5-NBR_RESET: Neighbor 2.2.2.2 active reset (BGP Notification sent)
%BGP-5-ADJCHANGE: neighbor 2.2.2.2 Up 
Prov1(config-if)#
OK, all looks fine so far. But what happened after OSPF got torn down and the neighborships reestablished? LDP wouldn't come up. The passwords were there, but the message (Invalid MD5 digest) indicates that the password is wrong.
R1(config-router)#do sh run | i password     
service password-encryption
mpls ldp neighbor 4.4.4.4 password 7 135D47405B5D49192E273A3621
mpls ldp neighbor 2.2.2.2 password 7 025E54095B574212494D1B1C11
mpls ldp neighbor 10.10.10.10 password 7 04035B545F70017D0C1A171206
R1(config-router)#do sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.10       1   FULL/DR         00:00:39    134.20.1.10     GigabitEthernet0/2
4.4.4.4           1   FULL/DR         00:00:33    134.20.1.6      GigabitEthernet0/1
2.2.2.2           1   FULL/DR         00:00:38    134.20.1.2      GigabitEthernet0/0
R1(config-router)#exit
R1(config)#logging con
R1(config)#
%TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(13861) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 4.4.4.4(19675) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.10(16183) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(13861) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 4.4.4.4(39459) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.10(16183) to 1.1.1.1(646) tableid - 0
So what is happening here?

Well, in one of those "can't see the wood for the trees" moments, I fat-fingered the configuration on R1. It took me running the password through a password cracker to see the difference. Just goes to prove you should pick a password that makes spotting mistakes easy to do. Alternatively, a much better approach is to do it all on one router, and then copy the encrypted password from the "master" to the other routers - using "mpls ldp neigh <neighbor> password 7 <encrypted password>". Below you can see that once thew password was copied from R1 onto R2, the error cleared and LDP came up.

The full compare, replace and contrast sequence is below:
%LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UP
%TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.10(16183) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 4.4.4.4(39459) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.10(49475) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.10(49475) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 4.4.4.4(60395) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 4.4.4.4(60395) to 1.1.1.1(646) tableid - 0
%TCP-6-BADAUTH: Invalid MD5 digest from 10.10.10.10(49475) to 1.1.1.1(646) tableid - 0
R1(config)#no logging con
R1(config)#

R2(config-if)#do sh run | i password
service password-encryption
mpls ldp neighbor 1.1.1.1 password 7 09141E5B4855465F380907382E30
 neighbor 4.4.4.4 password 7 135D47405A5C556718212B21303600
 neighbor 10.10.10.10 password 7 154A5B5E557A7A691B363630161305
R2(config-if)#mpls ldp neighbor 1.1.1.1 password 7 025E54095B574212494D1B1C11
R2(config)#
%LDP-5-PWDCFG: Password configuration changed for 1.1.1.1:0
%LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (1) is UP

R4(config)#do sh run | i password
service password-encryption
mpls ldp neighbor 1.1.1.1 password 7 1016594B544743463F012939213C
 neighbor 2.2.2.2 password 7 0757711E1F5948482417081E013E38
 neighbor 10.10.10.10 password 7 065E5F731D1E585436121119091039
R4(config)#mpls ldp neighbor 1.1.1.1 password 7 135D47405B5D49192E273A3621
R4(config)#
%LDP-5-PWDCFG: Password configuration changed for 1.1.1.1:0
R4(config)#
%LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (1) is UP

Prov1(config)#do sh run | i password
service password-encryption
mpls ldp neighbor 1.1.1.1 password 7 135D47405A5C556718212B213036
 neighbor 2.2.2.2 password 7 09141E5B4855465F380907382E303B
 neighbor 4.4.4.4 password 7 1016594B544743463F012939213C20
Prov1(config)#neighbor 1.1.1.1 password 7 04035B545F70017D0C1A171206          
Prov1(config)#
%LDP-5-PWDCFG: Password configuration changed for 1.1.1.1:0
Prov1(config)#
%LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (1) is UP   
Prov1(config)#

R1#sh mpls ldp neigh | i Ident
    Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 1.1.1.1:0
        Addresses bound to peer LDP Ident:
    Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 1.1.1.1:0
        Addresses bound to peer LDP Ident:
    Peer LDP Ident: 10.10.10.10:0; Local LDP Ident 1.1.1.1:0
        Addresses bound to peer LDP Ident:
R1#
Not a bad start. I learnt something (about properly using password encryption), and I have a basis for the network to start to evolve.

I am currently reading "MPLS VPN Security", which is pretty good, lot's of theory and explanation, but a little light on configuration. Still, definitely a good purchase so far.
Cisco MPLS VPN Security best book

There is a good inclusion on access-lists, below is one with would permit BGP, OSPF, and LDP:
access-list 110 permit tcp host x.x.x.x host loopback eq bgp
access-list 110 permit ospf host x.x.x.x host 224.0.0.5
access-list 110 permit ospf host x.x.x.x host 224.0.0.6
access-list 110 permit ospf host x.x.x.x host local_ip
access-list 110 permit tcp address mask any eq 646
access-list 110 permit udp address mask any eq 646
I think I will save this for later on though, when all the tunnels are in place. The next post will either be about transparent firewalls, or Multiple-context firewalls.

Topology update: IP addresses and device changes

I have started to work out the IP addressing scheme, and iron out a couple of issues in the topology.

To have a working MPLS core at the top of the topology, I have added another router and a switch. R1 will be the provider router, R2, R4 and Prov1 will be the PE routers, and the HQ's ASAs will connect into a provider switch (under the Prov1 router).

CCIE Security v4 topology

I have also added the external IP addresses. I think I will need to add another link between R3 and the NYFW01 firewall - this will be a transparent firewall, acting as a bump in the wire, which is why the IP address spans from R3 to R1. The FW will need managing though, So another link will most definitely be required.
This time around I will be using proper public IP addresses, this should never be done in a production environment (i.e. randomly selecting IP addresses to play with - but this will be an enclosed system, so I can do what I like).

I purposefully have not looked at how the HQ will be addressed. It will be using the 192.168.0.0/16 subnet, broken down into different subnets with the VLANs. I'll sort this bit out later.

It's definitely taking shape. The books are arriving, just one more to be delivered, and maybe two more to purchase. It's getting exciting as well. Now that I have the IP addresses formulated, I can start building up the MPLS core, which will be a fairly simple design, as there is nothing in the blueprint to suggest that MPLS will come up. Nevertheless MPLS is an interesting topic, so it should be a good way to kick things off in the right frame of mind.

Hopefully I can start the MPLS tomorrow!

CCIE Security topology revised

I have had a nagging thought over the last couple of days regarding the topology I will be using to start my CCIE Security studies.

My original plan was to work through the INE workbooks towards the end of the studying, but to use their topology for the studies, from the start right to the end.

This really isn't the best idea. I am trying to fit my own learning around a pre-defined topology, into which I am trying to drop and build my own network.

Instead I should be building my own. So that's what I will do.

I will still keep with the same devices, but build up something I know that I can work with. After all, if you are building something, then build something you can build.

So, this is what I have come up with:

CCIE Security v4 topology

Now, let's plan how the network will actually work.
The IP addressing needs to be sorted, but once that is done, then we have a sub-office, the HQ, and a couple of customer sites:

CCIE Security v4 topology

The HQ will run the majority of the equipment, such as the wireless, authentication servers, IPS, and this is where the servers will live. It will provide authentication services to the other site, and to the customers as well. So fully functioning routing is critical (obviously).

As is pretty standard, I'll be making use of loopback addresses to extend the network out, so that I can run the VPNs across it. There will be a number of different networks, using the loopbacks as the interesting traffic:

CCIE Security v4 topology

I have left out a couple of switches. At the moment I do not see a need to have these in the topology - at the moment at least. This may change later on.

This seems like a much more workable way to study, it's much cleaner, makes more sense, and doesn't look like a jumbled mass of equipment. If I want to look at a jumbled mass of wires and routers then I can look at my study instead.

If this does prove a workable topology, then I will post it on the Unetlab.com website for all to use.

CCIE Security study plan - revised

I am hitting a bit of a brick wall with the WSA appliance. So I will need to reach out for help, but bearing in mind that it will be just a 45 day trial (in most likelihood), I should reserve this for nearer the end of the study period. The same may be true for other components, such as the ISE, ACS, vWLC, and IPS.

I know at least I should be able to get an IPS license myself, if I need one.

You would think that Cisco would make it a little easier for people wanting to study! We pay enough money to Cisco, we should at least be able to download the stuff we need to study. Anyway, enough of the ranting. The plan needs a little revision.

Batman CCIE study plan

So, let's concentrate on the things that I can do. Here's the original list, I'll keep it a little more brief than in the original study plan. The numbers in brackets are the new position in the plan.

1: Set up TestPC-B, Switch 3 and Switch 6. This will give me access to WSA1 (1)
2: WSA (12)
3: Set up Switch 1 & Switch 3, giving access to ISE1 and ISE2 (2)
4: ISE (11)
5: Set up Switch 2 and Switch 4 - giving access to ACS1 and ACS2. (2)
6: ACS (10)
7: Set up ASAs (3)
8: VPNs (4)
9: IPS (9)
10: Hardening and availability (7)
11: Wireless stuff (6)
12: Miscellaneous other stuff (8)
13: IPv4 and IPv6 routing protocol security (5)
14: Do written exam (13)
15: Practice - do INE Security workbooks and full scale labs. (14)
16: Lab - take the lab exam. (15)
17: Profit? Re-take lab exam? Who knows! (16)
Here is the revised version:

1: Set up TestPC-B, Switch 2 and Switch 6. This will give me access to WSA1
2: Set up all the switches
3: Set up ASAs
4: Set up routers for VPNs
5: IPv4 and IPv6 routing protocol security
6: Wireless stuff
7: Hardening and availability
8: Miscellaneous other stuff (threat identification and mitigation)
9: IPS
10: ACS
11: ISE
12: WSA
13: Do written exam
14: Practice (INE labs)
15: Lab exam
16: Drink beer and celebrate

This makes a little more sense. Setting up all the switches will lay the foundation for the network, as well as determining the addressing needed.

From there I can move on to the ASAs, and the VPNs.

Once the VPNs are in place we can do all of the routing protocols (both IPv4 and IPv6), and then move on to the wireless aspects.

One we have the wireless configured we can look at hardening and availability. Then we can finish off the threat stuff.

Then we get to the appliances, the IPS, ACS, ISE and WSA.

After that I should be ready for the written exam.

That's the plan. At the moment.

CCIE Security lab, part 1

The new server is built, UNL is imported, an issue with the swap location is sorted (VM is on an SSD, which didn't leave enough room to create the swap file), and started.

Let's start configuring the lab. Please note that this is a work in progress, so there will be a number of edits as we go through!

Today I plan to cover part 1 and some of part 2 from my CCIE Security study plan.

First off, let's spend a couple of minutes thinking about the IP addressing scheme.

We need to manage the WSA. We have to configure the switches (3 and 6), the Windows PC, and the WSA.

CCIE security v4 toplogy

By default the WSA will use the IP address 192.168.42.42, with a /24 subnet. It makes sense, then, that we have a management VLAN of 192.168.42.0/24. We have our first requirement. We also need some trunks, and I'll use MST across the board. The VLAN VIP will live on Switch 3, at least for the moment, and will use an IP address of 192.168.42.1. The Windows host will use 192.168.42.7.

Now we have a start to the network.

I do have to make quite a major edit to the topology though. At the moment it has Arista switches. The port count makes it easier to match the INE topology, and the syntax is 90% the same (hence the court-case). However, I get this error:
localhost login:

localhost login: admin

Warning: the following filesystems have less than 10% free space left:
tmpfs                (on /var/log)      0% (948 1K-blocks Available)
Please remove configuration such as tracing and clean up the space.

Unable to connect: Connection refused

localhost login:
So let's replace them with some IOS switches instead.

Back in a minute...
OK, back now. I have swapped the Arista switches (SW3 and SW6) for vIOS (L2).

CCIE security v4 toplogy
Already I hit a road-block - not enough ports to cover my configuration:
Switch>en
Switch#conf t
Switch(config)#ho SW3
SW3(config)#vlan 42
SW3(config-vlan)#exi
SW3(config)#int vlan 42
SW3(config-if)#ip add 192.168.42.1 255.255.255.0
SW3(config-if)#no shut
SW3(config-if)#exi
SW3(config)#int gi3/0
SW3(config-if)#swi tru enc dot
SW3(config-if)#swi mo tru
SW3(config-if)#no sh
SW3(config-if)#int gi 5/0

% Invalid input detected at '^' marker.

SW3(config-if)#

So, I need to make another edit.

CCIE security v4 toplogy

OK, now we can proceed:
SW3(config)#int gi 0/3
SW3(config-if)#swi mo acc
SW3(config-if)#swi acc vl 42
SW3(config-if)#no shu
SW3(config-if)#desc Link to TestPC-B
SW3(config-if)#
Let's set up SW6:
Switch#conf t
Switch(config)#ho SW6
SW6(config)#vlan 42
SW6(config-vlan)#exi
SW6(config)#int gi 3/0
SW6(config-if)#swi trun enc do
SW6(config-if)#swi mo tru
SW6(config-if)#no sh
SW6(config-if)#exit
SW6(config)#int gi 1/1
SW6(config-if)#swi mo acc
SW6(config-if)#swi acc vl 42
SW6(config-if)#int gi 1/0 
SW6(config-if)#swi mo acc
SW6(config-if)#swi acc vl 42
SW6(config-if)#exi
SW6(config)#exi
SW6#
Let's start adding some spanning-tree:
SW3(config)#spanning-tree mode mst
SW3(config)#spanning-tree mst configuration 
SW3(config-mst)#rev 1  
SW3(config-mst)#instance 1 vlan 42
SW3(config-mst)#name 802101-Sec
SW3(config-mst)#exi
SW3(config)#spanning-tree mst 1 root pri
SW3(config)#

SW6(config)#spanning-tree mo mst
SW6(config)#span mst con
SW6(config-mst)#rev 1
SW6(config-mst)#name 802101-Sec
SW6(config-mst)#instance 1 vl 42
SW6(config-mst)#exi
SW6(config)#spanning-tree mst 1 root sec
SW6(config)#
Now we should be able to get to the WSA from our test PC. From the console we need to browse to http://192.168.42.42:8080:
AsyncOS starting services ...
..............................................................................................................................................................

AsyncOS ironport.example.com (cuau0)

login: admin
Password:
Last login: Tue Aug  4 12:02:30 on cuau0
AsyncOS 8.6.0 for Web build 025

Welcome to the Cisco S000V Web Security Virtual Appliance
Please wait while appliance services start up..................
Please run System Setup Wizard at http://192.168.42.42:8080
ironport.example.com>
Woo hoo! Looks good so far:

Cisco vWSA running on UNetLab

I log in with the username admin, and password of ironport and get this:

Cisco vWSA running on UNetLab

OK, so I need to get a license. This part is not going too well:

Licensing Cisco vWSA for UNetLab

Licensing Cisco vWSA for UNetLab

Balls.

Let's look on the bright-side, I have actually covered the first part of my 17 step CCIE Security study plan.

I just need to get a working license.

Stay tuned!



CCIE Security lab server build starts!

It's server build time! 

Three year old boy build a server

My new server arrived on Thursday. I had been toying with what to get for a couple of weeks, and found what I thought was a bargain on eBay.

For the reasonable sum of £649.99, I picked up a dual hexa core Xeon Dell Precision T5500. It's got a pair of X5675 Xeon processors, so it gives me a total of 24 logical CPUs, and came with a nice 48Gb of memory. 

Cheap server for ESXi on eBay

The best part was that the seller had two of them, and then upped the price by £350!

Cheap server for ESXi on eBay
It just goes to show that timing is everything! I am very pleased that not waiting a day or two saved me a stack of cash.

It was a barebones setup, so I added a 120Gb SSD to hold the OS, and a 750Gb SATA drive. It took some time to get the second HD running, as that channel was disabled in the BIOS. Took me a little while to figure this out, but now it's running nicely. I was helped by one of my boys. He put the DVD in the drive and plugged cables in for me.

The best thing about it is that compared to my old server (which you can see in the background on the first picture), that I used for my R&S, it's nearly completely silent. My wife will be much happier about this, and it makes studying easier, as it's hard to concentrate when it sounds like you are sitting in a wind tunnel (or a server room).

It's now loaded with ESXi 6.0, and the vSphere server appliance is running on it. Being a Mac user it's either using that, or having to run a Windows VM for management.

ESXi on Dell T5500


I have migrated UNL from VMWare Fusion on my Mac, to the new server, and upped the CPU count to 12, and the memory from 8GB (the limit in Fusion) to 40GB, which, by my calculation, is the minimum memory requirement for the CCIE Security lab.

ESXi on Dell T5500

I think somethings will have to run as ESXi hosts, namely the ISE, but the benefit of the full VMWare solution is the enhanced memory handling - such as over commitment. That said, the first DIMM slots have 4GB sticks in them, so I could upgrade these to 8GB sticks and gain and additional 24GB or memory, taking the total up to 72GB. The system can take a maximum of 96GB. So there is a lot of scope for expansion.

I think I will need to add an ethernet card, probably a quad one, as I will need to link into to components such as the Access Point, ISE etc etc.  But this bit can wait a few months.

It's looking good so far. The books have started to arrive, and I am formulating my study plan.

I also managed to clear up the garage so we can fit a chest freezer in tomorrow. It's going to be a busy weekend!