Sunday, January 25, 2015

Moving towards organized CCIE R&S study

So after a good bit of thought, and some boredom with the CCDA/DP material, I think I'm going to bypass the DA and DP for now.

I don't have much of a set plan right now, and most of my study, while helping get to CCIE, will be along the lines of what will enforce the work I'm currently doing at work.

Expect posts right now to relate to BGP mutlti-homing with dual ISP's, VRF, and general ASR 9k implementations.

I'm leaning towards the IPexpert labbing paths for eventual CCIE test/lab. Most of the video representation on INE bores me to tears.

I still have a hard date of 2020 to pass the test, so I'm giving myself plenty of time.

I'm starting from this diagram which is done on GNS3 v1.2 with IOU l3 devices. As you may notice, I have CSR1000v's implemented in VirtualBox. I'm not sure how useful they will be yet. They use a lot of RAM, and don't work with IOU devices(can't connect) as I currently have them implemented, if at all. I may have to move them from virtualbox to an ESXi hypervisor since the IOU implementation is already running on Vbox.



I'm probably due to build another "GNS3 for dummies like me" post again, but I'd like to get the CSR a little more sorted first.




Tuesday, December 30, 2014

New Job, new direction, yet again...

Realized that I never made a post per my successes in finding work.

It took a bit longer than I had expected.

I had a fairly involved interview process with Google, including a face to face, which ultimately didn't pan out, but allowed me to make some great contacts, and led to another phone interview, for a position I told them I didn't believe I was qualified for, but they decided they wanted to phone interview anyway. That didn't evolve into anything, either. I worked for a short time as a Project manager for a local inside plant special systems company which ended up being a REALLY bad idea. Although I was listed as a Director of operations, I wasn't anything more than a glorified cabling lead most of the time.

After that, I became a bit more picky and decided Project Management isn't what I want to do right now, especially with a new CCNP cert sitting on my desk, and started applying for solely Network Engineering positions. During that time, Google called back, on an App that I had submitted for a position located in Mountain view. I got all the way to scheduling the mountain view interview, and talking about relocation process. I think I probably would have received an offer for that position, but it was in their NOC, and I wasn't sure I wanted back into the always-putting-out-fires type of work after 8 years of it previously, especially in a NOC that was probably in the midst of developing their processes. Frankly, I was a bit tired.

That leads me to why I didn't take the Google interview. I had already had an offer for a Network Engineer position with a public entity, and the start date conflicted with when I could interview with Google, and after a lot of soul searching, turned down the flight to MV. I'm sure it would have been cool, but for the type of work it would be and the amount of hassle involved in relocating (I have a house here, kids in school, etc.) It just didn't seem like the best path forward. So I started the Public entity job, after also interviewing with another public entity for a network architect position. About a week into the new position, I was informed that I was the runner-up for the other job, but that they would keep me in mind.

The job I initially accepted had great benefits, good retirement, strangely, somewhat expensive insurance though. Pay-wise, it wasn't much of a step forward, in that respect. All I was going to get to do there, for the most part, was to do some slight break-fix, VPN adds, manage ISE, Solarwinds, and some interfacing to cloud services with AWS. The second job I interviewed with, for the Architect position, called back about a month into the job I accepted, and made an offer that I simply couldn't refuse for exactly the type of work that I wanted to do, and that pretty much any Network Engineer should want to do. After three months there, I have to say, I'm pretty much ecstatically happy.

The funny thing is the place that I'm working at was employing the guy, (who I used to work with at another company) that got the initial job that I interviewed with Google for. And now I'm doing some of his work.

My first project, a month in, was configuration of Dual Core 6807XL's in VSS, 10gig uplinks to each telecom room, with VRF separated networks, and Meraki guest wireless. One of the 2 largest Campus upgrades they had done in ten years. Talk about trial by fire. It worked out, 36 devices replaced with new, 15 hours on a Saturday, and zero trouble tickets put in by users on Monday. I did a pretty decent job, and am fairly proud of my work. I might almost call myself a network engineer now.

Anyway, I hope this may be inspirational to someone as I've spent quite a while working on becoming a network engineer, fairly late in my career, and hopefully it shows what can happen when you keep plugging away.

Good luck to all of you, and this blog will now focus on my new path, which will be CCDA-CCDP-CCIE R&S.

Stay tuned. I don't know that there will be much configuration posting while working on CCDA-CCDP, which I'm giving myself until the summer to complete. The way it's designed it's just two tests to get there due to CCDP using two of the CCNP tests as part of the cert path.




Sunday, November 16, 2014

GNS3 with IOU switching tested

Was dreading putting this together, but it ended up being pretty straightforward in 1.1

Have a simple switching topology setup and it's working so far for basic commands.




L2 port-channels work it appears.

Word is that ISL trunking does not work. A list of what did not work in early versions is here:

http://www.routereflector.com/cisco/cisco-iou-web-interface/features-not-supported/

And here is the how-to in the new GNS3 forums:

https://community.gns3.com/groups/cisco-ccna/blog/2014/11/03/how-to-setup-and-configure-cisco-iou-ios-on-unix-to-gns3-11

And here is the how-to for adding ASA images to QEMU:

https://community.gns3.com/community/support/forum/blog/2014/10/26/how-to-add-cisco-asa-842-to-gns3-11-and-get-it-working

etherchannel debug works:


Friday, July 11, 2014

Active - Active Failover with two ASA's




And Active to Active Failover...

Working off of this walkthrough:

https://www.youtube.com/watch?v=C4mTwnLIZnY

Tuesday, July 1, 2014

ASA to ASA VPN tunneling

What I'm working on now:



I'll do a post on advanced GNS3 setup to include ASA simulation, which had it's issues as did adding a second ASA once the single ASA setup was accomplished.

ASA1

ASA Version 8.4(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 10.10.10.1 255.255.255.252
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network LocalNetwork
 subnet 192.168.100.0 255.255.255.0
object network RemoteNetwork
 subnet 192.168.200.0 255.255.255.0
access-list Site1-to-Site2 extended permit ip object LocalNetwork object RemoteNetwork
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ASA1Tranform-set esp-aes-256 esp-sha-hmac
crypto map ASA1VPN 1 match address Site1-to-Site2
crypto map ASA1VPN 1 set pfs
crypto map ASA1VPN 1 set peer 10.10.10.2
crypto map ASA1VPN 1 set ikev1 transform-set ASA1Tranform-set
crypto map ASA1VPN 1 set security-association lifetime seconds 28800
crypto map ASA1VPN interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:7db04233c3969554643f82fc508ffc02
: end

ASA2

ASA Version 8.4(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 10.10.10.2 255.255.255.252
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network LocalNetwork
 subnet 192.168.200.0 255.255.255.0
object network RemoteNetwork
 subnet 192.168.100.0 255.255.255.0
access-list Site2-to-Site1 extended permit ip object LocalNetwork object RemoteNetwork
access-list NAT extended permit ip object LocalNetwork object RemoteNetwork
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ASA2Tranform-set esp-aes-256 esp-sha-hmac
crypto map ASA2VPN 1 match address Site2-to-Site1
crypto map ASA2VPN 1 set pfs
crypto map ASA2VPN 1 set peer 10.10.10.1
crypto map ASA2VPN 1 set ikev1 transform-set ASA2Tranform-set
crypto map ASA2VPN 1 set security-association lifetime seconds 28800
crypto map ASA2VPN interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:f6e37b3d077f5f321ff8917aae9142bf
: end



Monday, June 30, 2014

Moving in a new direction... new name for the Blog.

I've really enjoyed putting all of this down in one place, and since I'm moving in new directions, have a new book released, and am working on a possible run at some security certifications, I think I'll fire this back up.

I'm currently working within GNS3 and have successfully, up and running, a couple ASA instances.

I'll probably add a CCNA security tab to the top here shortly and add the process I've gone thru to get them up and running shortly.

I'm in the process of running through a few labs on site-to-site vpn's through ASA's both in and out of ASDM.

Monday, June 23, 2014

Well, It's done. I'm an Author now. "CCNA Home Lab Purchase and Build Guide" is now available for Kindle on Amazon.

I've pulled a lot of what is in this blog together to make a small guide for building CCNA home labs.

It will be interesting to see if there is demand.

You can get a copy here:

http://www.amazon.com/dp/B00L7CT8NK



Thursday, March 6, 2014

Looks like I may have to remove the "or Bust" from the Blog title...

A long road complete.

The T-SHOOT test was as much fun as I thought it would be. The break-fix work I did at my last job probably helped. With limited actual configuration rights on the Carrier core network, the test was like work was, just ping your way to the the answer and find the incomplete or incorrect configuration.

So... Now, I'm an unemployed CCNP.

We'll see how the rest of this next week plays out and that may change.

I'm pretty sure that either position that is high on my list will require me shuttering this blog for a good while, if not indefinitely as I'll possibly be moving back into the management track, and the way I work, there won't be a lot of time for extra-curricular activities like this, or likely much more Cisco certification need.

It's been fun, I'll keep people posted, and look for me to promote a book that I've been working on, related to what I've learned in maintaining this blog. It's about half complete and I expect it will be available on Amazon, and possibly iTunes/iBooks.

Wednesday, March 5, 2014

And one day until T-Shoot...

Just been running through the CBT nuggets vids and simulating some of the issues that CBT Nuggets has to rectify on the set up I built simulating the Cisco Topology.

My CCNP rack is already listed on Ebay. If I don't pass, I'll have to decide if I want to leave it or not...

http://www.ebay.com/itm/251467713528?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1558.l2649