Thursday, July 24, 2014

CCIE Route/Switch v5 GNS3 Lab: Infrastructure Security

Hey all,

This lab contains a whole lot of layer2 and layer3 infrastructure security features likes ACLs, RPF (reverse path forwarding checks), snmp controls, etc. GNS3 doesn't simulate switching features as well as routing, so some of what I wanted to do I wasn't able to. Some of that is documented in text on the right side of the lab where it can be read and still learned.

These labs are all based around subject matter defined in the CCIEv5 lab blueprint. The full workup is here: (Cisco login required to view).

In any case, this lab contains an OSPFv3 IPv6 network bridged to an IPv4 EIGRP network, with these security features intertwined. I recommend looking at the requirements page and then deleting/renaming the local configs that I've uploaded. Then see if you can meet the requirements on the GNS3 file. Once done, compare your results to mine and see if we solved it a different way. Remember, there are always multiple ways to solve each problem, in real life and in the lab.

You can download the lab files and configs here:

Good luck!

Sunday, July 20, 2014

CCIE Route/Switch v5 GNS3 Lab: IGMP/PIM/AutoRP

Hey all,

This lab covers IGMP and PIM sparse-dense mode. I didn't delve much into sparse-mode and dense-mode PIM because they're all so similar -- a simple designation of mode, and they're configured. The main difference is whether the system assumes all nodes want the traffic (dense mode) or whether they assume everyone doesn't want the traffic (sparse-mode). Sparse-dense is an extension of PIM that allows a node to adapt to the group which it joins -- it defaults to dense mode but if a RP is known or configured for a group, it switches to sparse mode.

I also configured auto-rp, so all nodes will automatically learn the address of a route-point, and redundancy can easily be built into the system. This required one node to be configured to enter its candidacy for RP (or as many nodes as you want), and at least one rp-mapping agent. This agent doesn't have to be a RP candidate, and there can again be multiple configured. It'll listen for candidate RPs and advertise those to the regular members of PIM who are listening for information from them. You can learn more about Cisco sparse/dense/sparse-dense mode here:

Download the GNS3 Lab toplogy with configurations here:

Friday, July 18, 2014

CCIE Route/Switch v5 GNS3 Lab: CBT Nuggets Practice Lab

Hey all,

This lab is a lot of fun. I've been using CBTNuggets to study for the CCIE, and Jeremy Cioara (who, by the way, is a GENIUS) teaches a great course that's just a practice CCIE lab that he walks you through.

He recommended doing it yourself first to see if you could and I got all the way through it -- with a few exceptions. I posted it here for others to check out, and maybe learn from -- I didn't check most of my work against Jeremy's, so I imagine I solved some of the problems in different ways.

It's pretty ridiculous what you're asked to do -- very complex, overlapping technologies. Click on the picture below to see the entire topology that I used. Jeremy didn't provide one, so I built one myself.

You can download the unsolved as well as my version of the solved GNS3 lab below!

The GNS3 video series is here: <-- This requires a subscription, but you can check out the first minute or two of each video for free as a sample. You'll need to subscribe to get access to CBTNugget's great full lab topology and instruction requirements, but consider the solved as a taster for what you'll be asked to do.

Download both the solved and unsolved versions of the GNS3 lab here:

Good luck!

Thursday, July 17, 2014

CCIE Route/Switch v5 GNS3 Lab: Layer2 WAN Technologies

A lab which covers HDLC and PPP encapsulation, CHAP and PAP authentication, MLPPP to multiplex serial connections like T1 lines, and PPPoE, the common authentication and negotiation protocol used for at-home DSL connections.

You can find the lab here:

Good luck!

Monday, July 14, 2014

CCIE Route/Switch v5 GNS3 Lab: MPLS VPN

Hey all,

As I lab practice for the CCIE, I think I'll upload my configuration samples and labs so you all are able to see them.

This lab covers a complete MPLS setup including private VPNs spanned across an MPLS cloud. It also includes the configuration many companies deploy at remote sites to redistribute their local site configurations into the MPLS VRF in order to use IGPs (this lab uses OSPF and EIGRP).

Lab is here:


Thursday, July 10, 2014

Software-Defined Networking in the Physical World

I just finished a short lunch-hour style training on the Cisco Prime platform, and I've got to say - they get it. No one wants to play with switches all day.

That's a hard thing to admit.I've spent 500+ hours studying for Cisco certifications, and I'm currently prepping for a CCIE, a certification solely in route/switch that costs over $1,500 per attempt in a far-away state. But I'm confident saying it:

I don't want to work on switches all day. 

I want to work on a management platform that can completely configure, control, and monitor my route/switch infrastructure. I want to use this platform to correlate threat data and alert me when my ports are filling up, let me know when to plug in another cable between my switches so it can configure a port-channel, and I want it to have the smarts to shut down a network storm.

If Cisco enabled CDP to allow for simple management, the management appliance could reach new devices by chaining through CDP-enabled devices to set up the management connection on new devices. It could also allow for recovery if a command renders a device unreachable.

In short, I want my network devices to act like lightweight APs - they have some ability to operate themselves, but they are able to act intelligently and seamlessly when controlled by a central management station.

This is entirely possible, and appears to be where Cisco is going.

Let me start over - Cisco's Prime platform is a super-charged monitoring platform. It's able to discover and monitor all your routers, switches, ASA, etc with great reporting. It's able to apply templates that you've built to a switch once you've given the switch a base config and a routable IP that the management device can reach.

But still, you need to know the configs. You need to know which things to turn on and turn off and why. I'm sure there's an argument there that only the experts in the field, who've invested significant time and money (wink wink), should be doing this anyway, so who cares?

If Cisco is able to realize this dream, they'll have brought the fantastic benefits of Software Defined Networking (SDN) into the physical world. 

They'd allow existing businesses with millions invested in 'heavy,' self-managed switches to upgrade their switches software and enable central, intelligent management. Costs for expertise in networking will go down, and the cost of running a business will go down. Constantly mutating security attacks can be more quickly identified by taking the aggregate data and correlating it in a central place.

More importantly, if Cisco doesn't move to do this quickly, someone else will. 

You can read Cisco's information on Cisco Prime here: