CCIE Quest

BIG Changes Announced !!! CCiE Security v4 Lab is now official here. For those who haven’t scheduled v3 lab yet, do it before November 18,2012 as there is a laundry list of  changes in equipment list & blueprint for lab exam. Cisco Secure ACS 5.X, Cisco Identity Service Engine ISE) 1.X, ISR G2 , new 3750-X switch , completely revised ASA 8.4.x / 8.6.x (mainly due to NAT & IKEv2 changes) , WLC 2500 , Aironet APs etc. Here is the hardware & software list for new CCIE Security v4 Lab :

Hardware List:

• Cisco 3800 Series Integrated Services Routers (ISR)
• Cisco 1800 Series Integrated Services Routers (ISR)
• Cisco 2900 Series Integrated Services Routers (ISR G2)
• Cisco Catalyst 3560-24TS Series Switches
• Cisco Catalyst 3750-X Series Switches
• Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances
• Cisco IPS Series 4200 Intrusion Prevention System sensors
• Cisco S-series Web Security Appliance
• Cisco ISE 3300 Series Identity Services Engine
• Cisco WLC 2500 Series Wireless LAN Controller
• Cisco Aironet 1200 Series Wireless Access Point
• Cisco IP Phone 7900 Series
• Cisco Secure Access Control System 5X Read more about CCIE Security v4 is now official »

In this tutorial, we will configure Cisco Secure ACS 5X to return a TACACS attribute defining the role a user should be placed into an IOS device using Role Based Access Control (RBAC).RBAC enables access restriction based on each user’s role and function within the organization.  This feature is very useful when you an ACSAdmin wants to delegate varying responsibilities to different user groups within an organization. Use of  Role-Based CLI Access feature allows the network administrator to define “views“, which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (config) mode commands.

We can create following roles to accomplish goals setforth: Read more about ACS5.X : Configure Role Based Access Control (RBAC) using TACACS+ »

In this tutorial , I will discuss IEEE 802.1X Port-Based Access Control Using Authentication from Cisco Secure ACS 5.X using dynamic VLAN assignment.The basic idea behind the standard is to authenticate and authorize before a user can connect to the physical or logical port of a Layer 2 device in order to gain access to VLAN or WLAN infrastructure.

Here, we have following three basic components of IEEE 802.1x architecture :

• Authentication Server  :Cisco Secure ACS 5.X
• Authenticator                :Catalyst Switch
• Client or Supplicant    :XP Native Client (or AnyConnect Secure Mobility Client etc.)

In order to assign a VLAN to a client upon successful authentication i.e. via dynamic VLAN assignment , following RADIUS attributes need to be  pushed to Catalyst Switch:

•  [064] Tunnel-Type
•  [065] Tunnel-Medium-Type
•  [081] Tunnel-Private-Group-ID Read more about ACS5.X : 802.1x Port Based Access Control via RADIUS attributes »

Cisco has taken the lid off by announcing CCIE Data Center certification, which will validate expert knowledge of implementing and troubleshooting Data Center Technologies. Initially, this exam will be available in Beta version . Here is the snippet from original announcement :

The beta version of the CCIE Data Center Written Exam v3.0 (351-080) will be available for scheduling and testing at all worldwide Cisco-authorized Pearson VUE testing centers beginning May 1 through June 15, 2012

There is a mouthful of technologies that are included in the lab blueprint . Major sections are :

• Cisco Data Center Infrastructure – NexusOS
• Cisco Storage Networking
• Cisco Data Center Virtualization
• Cisco Unified Computing
• Cisco Application Networking Services – ANS

Here’s the Detailed Blueprint : Read more about New CCIE Certification : CCIE Data Center is now official »

As you might know, Beginning Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been dramatically redesigned to allow for greater flexibility. Major advantage of this new approach is to use Real IP addresses instead of Mapped IP addresses for numerous different applications & features ( interface ACLs, MPF , botnet traffic filter etc. to name a few). In this blog post, i would attempt to lay the basics for you first before delving in to more complex configuration examples in later posts. If you are preparing for CCNP Security exam or waiting for CCIE Security 4.0 Lab Exam update, you are most likely required to be familiar with these concepts.

Understanding Network Objects :

The implementation of NAT in Post-8.3 ASA versions is accomplished by leveraging “Network Objects’. A Network Object can be an IP address (for a single host), a subnet, an IP address range or a fully qualified domain name. Here is an example of what a Network Object might look like for a single Host (Server)

Recently, Cisco dropped some “unofficial” hints on new CCIE Security v4 track in a Cisco Small Business post. Probably, the official annoucement will be made soon so, if you are planning to sit CCIE Security Lab, it’s time to get ready.

Some tidbits from the relevant posts here :

The Real Life of an Expert: Introducing the New CCIE Security

CCIE Security 4.0 is unusual among security certificates for its up-to-date, real-world content. It emphasizes security competency and efficient problem solving in networks that use cloud services, carry voice and multimedia traffic, and are accessed by a variety of wireless devices.

The content, currently in development, may include real-world applications that involve:

• Securing both wireless and wired networks, including managing security policy by device and service
• Extending application awareness to security devices, moving security up to Layer 7 from the stateless packets of Layers 3 and 4, and applying policy on a per-identity basis
• Applying security policy in a network that has voice and video traffic
• Securing networks that use managed services, dual ISPs, IPv6, or IP multicast

Cisco will soon announce the blueprints for the CCIE Security 4.0 written and lab exams; the first exam will take place approximately six months later.

Although there are no prerequisites for registration, Cisco offers a preparation path through its CCNA and/or CCNP Security levels, and recommends that candidates have at least three years of hands-on network security experience. Read more about CCIE Security Version 4 Expected Soon! »