Need a Coach for Your CCIE Pursuit?

April 9, 2015 at 10:32 pm

I have found the power of coaching to be incredible. In the last three years, I have achieved great success at work, in my studies, and with physical fitness through the power of excellent coaching.

sales-coaching-icon

Tennis coach – check!

Running coach – check!

CBT Nugget coach – check!

CCIE Security coach – check!

Martial arts, personal firearms, physical fitness coach – check!

Flight coach – check!

I would love to give back. If you are studying for any CCIE track, let me try and help with the new CCIE Coaching section of this website. Interact with me through the comments section of each post!

Today’s assignment – Please introduce yourself in the public comments below and update me with where you are at today with your CCIE pursuit. Don’t forget to let me know details like track and current progress (written/lab). Also, don’t be embarrassed if you are at the CCNA level or even pre-CCNA, we all need to start somewhere! I look forward to meeting you and helping in any way I can!

Application Inspection on the ASA

March 13, 2015 at 10:07 am

One of the key areas for the Cisco ASA is giving us great control when it comes to ensuring applications running across the device are not trying to do us harm. This is implemented, of course, with Application Inspection. This permits us to only examine the packet header, but also the contents of the packet right up to Layer 7.

hke03515

Another nice thing is the fact that the ASA is trained to deal with applications that require special handling. Examples would be the handling of data packets that embed IP addressing information in the data payload, or that open up secondary channels on dynamically assigned ports.

The list of applications supported is impressive and continues to grow. Here are just some:

  • HTTP
  • FTP
  • IM
  • H.323
  • TFTP
  • SIP
  • DNS

Application Inspection is enabled and tweaked through the use of the Modular Policy Framework (MPF). Remember, this follows the general structure of a traffic class to identify traffic (class-map), actions assigned with policies (policy-map), and then the service policies activated on interfaces (service-policy).

Remember, the ASA is setup for some Application Inspection right out of the box.  You can see this with the default class-map of inspection_default, the policy-map of global_policy, and the service-policy globally assigned.

Here is a look at these default structures. Note this shows you which specific protocols are being inspected by default on all interfaces:

class-map inspection_default
   match default-inspection-traffic
policy-map type inspect dns preset_dns_map
   parameters
       message-length maximum 512
policy-map global_policy
   class inspection_default
       inspect dns preset_dns_map
       inspect ftp
       inspect h323 h225 
       
       inspect h323 ras
       inspect ip-options
       inspect rsh
       inspect rtsp
       inspect esmtp
       inspect sqlnet
       inspect skinny
       inspect sunrpc
       inspect xdmcp
       inspect sip
       inspect netbios
       inspect tftp
service-policy global_policy global

At your fingertips is your own manipulation of Application Inspection on the ASA. In this example of HTTP inspection, we selectively inspect HTTP traffic to our Web server, spoof that our server is an Apache Server, reset connections with a long header length, and guard against DoS attacks:

access-list OUT_IN extended permit tcp any host 192.168.65.3 eq www
access-group OUT_IN in interface outside
access-list AHTTP permit tcp any host 192.168.65.3 eq www
class-map CHTTP
   match access-list AHTTP
policy-map type inspect http PDHTTP
   parameters
      spoof-server "Apache Server"
      match request header length gt 4096
      reset
policy-map POUTSIDE
   class CHTTP
      inspect http PDHTTP
      set connection conn-max 2 embryonic-conn-max 1
service-policy POUTSIDE interface outside

CCIE R&S v5 Part 4 VPN Tech Has Started!

January 14, 2015 at 12:30 am

cciePart 4 of 6 of CCIE R&S v5 All-In-One is underway at CBT Nuggets and I am so thrilled to be the primary instructor for this course. This course focuses on all of the topics required for the VPN Technologies sections of the written and practical exams.

This is sure to be the most popular of all the courses with our students since it covers topics that are fairly new or VERY new to the track. For example, MPLS was with us in Version 4, but now we add to that the DMVPN (practical) and topics like GET VPN (written-only).

I will be using the new Cisco VIRL as the basis for hands on practice. Feel free to follow along with me command by command. Of course if you are a GNS3 person, fire that up instead.

Perhaps the most exciting thing about the course is that we are more granular than ever at CBT Nuggets now. So if you have MPLS basically nailed, for example, and you just need to refresh on a couple of topics, the outline will be very clear for you on what Nuggets you need to watch right away. As always, if I speak too deliberately for you, speed me up to as much as 2X speed.

Enjoy the new Nuggets everyone. I sure am having an absolute blast making them for you.

Course Update: S. Morris and A. Sequeira Begin CCIE R&S v5 Part 3!

June 19, 2014 at 8:00 pm

Scott Morris and Anthony Sequeira, both full-time instructors with CBT Nuggets, have launched their Part 3 of the CCIE R&S v5 All-In-One course. This part of the course is the largest collection of videos and deals with Layer 3 technologies, including scalable routing protocols, Layer 3 multicast, and troubleshooting.

Scott-and-Anthony

This third part is one of six overall parts to the collection of Nugget courses that prepare students for both the written and the lab exams. The parts are as follows:

This collection of courses is very unique in that a different combination of top instructors is used for each. For example, Anthony Sequeira and Keith Barker completed the 1st part, while Keith and Jeremy Cioara train the second.

Training is possible on every smart device and industry-best features like bookmarking, notetaking, and even playing the instructor at various speeds.

We hope you enjoy these courses as much as we enjoyed making them, and remember, study with passion!

MicroNugget: CCIE v5 Documentation

December 18, 2013 at 12:00 pm

In this MicroNugget, I discuss the concept of using Cisco documentation during the CCIE version 5 lab exam. This MicroNugget directly relates to my and Keith Barker’s Cisco CCIE Routing and Switching v5 All-In-One training course.