CCIE Quest

If you are running ASA 8.4 code & have existing IKEv1 VPN sessions (Remote Access VPNs or Site to Site Tunnels) , you might want to take advantage of benefits offered by IKEv2 (Internet Key Exchange version 2 – RFC 4306) & migrate those existing sessions for better network resiliency / improvements in SA negotiation & many other benefits. First, we will look at IKEv2 benefits & then run migration command (yes, a single command) & then add additional features to the mix. IKEv2 support was introduced in ASA 8.4 & AnyConnect 3.0 Code.

IKEv2 Benefits :

There are several benefits to running IKEv2 as compared to IKEv1 . IKEv2 offers

• Improving Network Attack Resiliency :IKEv2 offers Denial of Service prevention using cookies
• Less Overhead : IKEv2 requires fewer negotiation messages
• Reducing complexity in IPSec establishment : IKEv2 offers features like Built-in Dead Peer Detection , NAT Traversal (NAT-T) , Initial Contact etc.  built into the protocol
• Faster Rekey Time : IKEv2 offers Better rekeying and collision handling
• Authentication : IKEv2 offers Built-in Configuration Payload and User Authentication (using EAP) & it allows unidirectional authentication as well.

Interoperability Issues :

Some interoperability issues need to be kept in mind

• IKEv2 does not interoperate with IKEv1
• IPSec VPN cannot be established between a crypto device using IKEv2 and another crypto device using IKEv1 for security reasons.

IKEv2 Migration Benefits: Read more about ASA 8.4 : Migrating IKEv1 VPN Sessions to IKEv2 »

BIG Changes Announced !!! CCiE Security v4 Lab is now official here. For those who haven’t scheduled v3 lab yet, do it before November 18,2012 as there is a laundry list of  changes in equipment list & blueprint for lab exam. Cisco Secure ACS 5.X, Cisco Identity Service Engine ISE) 1.X, ISR G2 , new 3750-X switch , completely revised ASA 8.4.x / 8.6.x (mainly due to NAT & IKEv2 changes) , WLC 2500 , Aironet APs etc. Here is the hardware & software list for new CCIE Security v4 Lab :

Hardware List:

• Cisco 3800 Series Integrated Services Routers (ISR)
• Cisco 1800 Series Integrated Services Routers (ISR)
• Cisco 2900 Series Integrated Services Routers (ISR G2)
• Cisco Catalyst 3560-24TS Series Switches
• Cisco Catalyst 3750-X Series Switches
• Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances
• Cisco IPS Series 4200 Intrusion Prevention System sensors
• Cisco S-series Web Security Appliance
• Cisco ISE 3300 Series Identity Services Engine
• Cisco WLC 2500 Series Wireless LAN Controller
• Cisco Aironet 1200 Series Wireless Access Point
• Cisco IP Phone 7900 Series
• Cisco Secure Access Control System 5X Read more about CCIE Security v4 is now official »

In this tutorial, we will configure Cisco Secure ACS 5X to return a TACACS attribute defining the role a user should be placed into an IOS device using Role Based Access Control (RBAC).RBAC enables access restriction based on each user’s role and function within the organization.  This feature is very useful when you an ACSAdmin wants to delegate varying responsibilities to different user groups within an organization. Use of  Role-Based CLI Access feature allows the network administrator to define “views“, which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (config) mode commands.

We can create following roles to accomplish goals setforth: Read more about ACS5.X : Configure Role Based Access Control (RBAC) using TACACS+ »

In this tutorial , I will discuss IEEE 802.1X Port-Based Access Control Using Authentication from Cisco Secure ACS 5.X using dynamic VLAN assignment.The basic idea behind the standard is to authenticate and authorize before a user can connect to the physical or logical port of a Layer 2 device in order to gain access to VLAN or WLAN infrastructure.

Here, we have following three basic components of IEEE 802.1x architecture :

• Authentication Server  :Cisco Secure ACS 5.X
• Authenticator                :Catalyst Switch
• Client or Supplicant    :XP Native Client (or AnyConnect Secure Mobility Client etc.)

In order to assign a VLAN to a client upon successful authentication i.e. via dynamic VLAN assignment , following RADIUS attributes need to be  pushed to Catalyst Switch:

•  [064] Tunnel-Type
•  [065] Tunnel-Medium-Type
•  [081] Tunnel-Private-Group-ID Read more about ACS5.X : 802.1x Port Based Access Control via RADIUS attributes »

Cisco has taken the lid off by announcing CCIE Data Center certification, which will validate expert knowledge of implementing and troubleshooting Data Center Technologies. Initially, this exam will be available in Beta version . Here is the snippet from original announcement :

The beta version of the CCIE Data Center Written Exam v3.0 (351-080) will be available for scheduling and testing at all worldwide Cisco-authorized Pearson VUE testing centers beginning May 1 through June 15, 2012

There is a mouthful of technologies that are included in the lab blueprint . Major sections are :

• Cisco Data Center Infrastructure – NexusOS
• Cisco Storage Networking
• Cisco Data Center Virtualization
• Cisco Unified Computing
• Cisco Application Networking Services – ANS

Here’s the Detailed Blueprint : Read more about New CCIE Certification : CCIE Data Center is now official »

As you might know, Beginning Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been dramatically redesigned to allow for greater flexibility. Major advantage of this new approach is to use Real IP addresses instead of Mapped IP addresses for numerous different applications & features ( interface ACLs, MPF , botnet traffic filter etc. to name a few). In this blog post, i would attempt to lay the basics for you first before delving in to more complex configuration examples in later posts. If you are preparing for CCNP Security exam or waiting for CCIE Security 4.0 Lab Exam update, you are most likely required to be familiar with these concepts.

Understanding Network Objects :

The implementation of NAT in Post-8.3 ASA versions is accomplished by leveraging “Network Objects’. A Network Object can be an IP address (for a single host), a subnet, an IP address range or a fully qualified domain name. Here is an example of what a Network Object might look like for a single Host (Server)