Monday, June 30, 2008

CCIE R&S LAB boot camp with Narbik

Nearest CCIE R&S boot camp. Comin on Oct 2008

@ KUALA LUMPUR
Price - US$2500
Schedule - 20th Oct to 24th Oct 2008

Narbik KochariansCCIE#12410 (R&S, SP, Security) CCSI# 30832
Narbik has over 30 years of experience in the industry. Narbik has designed, implemented and supported numerous enterprise networks. Some of the companies that Narbik has worked for are IBM, Carlton United Breweries, Australian cable and wireless, BP, and in US, 20th Century Ins., Home Saving of America, Verizon, TTI, Trinet Inc, and many more. Narbik has been a dedicated CCIE instructor for over 10 years.

details - http://www.micronicstraining.com/ccie-routing-switching-lab.html
Posted by at 4 comments:

Sunday, June 29, 2008

ShortNotes for CCIE written exam - URPF

URPF (Unicast reverse path forwarding)
enable the router to verify the reachablity of the source address in packets being forwarded.If the source address is not valid, the packet is discarded.use to help limit the malicious traffic on the enterprise network.URPF works on 1 of 3 mode - Strict, Loose and VRF mode.

Strict mode- same interface of in/out packets. (legitimate traffic may drop in asymmetric routing)
loose mode - check routing table for in packets. ACL may also be specified. Better for asymmetric routing.

Configuration
ip cef must turn on
under interface config mode
ip verify unicast reverse-path

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
Posted by at No comments:

Thursday, June 26, 2008

Interesting Story about CCIE number

"the folks at Cisco didn't want to start with the number '1'. So they decided to start with 1024, (2 ** 10), a common binary number. The lab was assigned the first number, 1024, and they placed a plaque with that number on the door (someone told me that the plaque has been kept and moved to one of the new test labs). Stuart was awarded the first real number, CCIE # 1025, because he created the test. I passed the hands-on test, designing and building the network in one day, then fixing the things he broke in just over half a day. I was awarded the next number, CCIE # 1026, in August, 1993, the first non-Cisco person to achieve the CCIE and the first to take the test."
Read the 1st CCIE (Terry) Blog

http://connection.netcordia.com/blogs/terrys_blog/archive/2007/08/16/ccie-test-and-numbering.aspx
Posted by at No comments:

CCIE number!!!

Worldwide CCIE Number has reached 20723 on 7 May 2008
20723 - CCIE Number as of May 7th, 2008
1024 - Beginning CCIE Number issued August 1993
______________
19,699 - CCIE Numbers issued in the entire Cisco CCIE Program

read more -
http://www.networkworld.com/community/node/27669
Posted by at No comments:

ShortNotes for CCIE written exam - CBAC

CBAC – Context Based Access Control , a function of firewall features set in IOS.
Can Inspect applications layers protocols like FTP/ Interface/ direction in-outCBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. (Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead.)
How CBAC Works
CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall

What CBAC Does?
Traffic Filtering
Traffic Inspection
Alerts and Audit Trails
Intrusion Detection

What CBAC Does Not Do
CBAC does not provide intelligent filtering for all protocols; it only works for the protocols that you specify. If you do not specify a certain protocol for CBAC, the existing access lists will determine how that protocol is filtered. No temporary openings will be created for protocols not specified for CBAC inspection. CBAC does not protect against attacks originating from within the protected network unless that traffic travels through a router that has the Cisco IOS Firewall feature set deployed on it. CBAC only detects and protects against attacks that travel through the firewall. This is a scenario in which you might want to deploy CBAC on an intranet-based router. CBAC protects against certain types of attacks, but not every type of attack. CBAC should not be considered a perfect, impenetrable defense. Determined, skilled attackers might be able to launch effective attacks. While there is no such thing as a perfect defense, CBAC detects and prevents most of the popular attacks on your network.

router1#configure
router1(config)#ip inspect name mysite ftp
router1(config)#ip inspect name mysite smtp
router1(config)#ip inspect name mysite tcp
router1#show ip inspect config
Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500]connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50.
Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule ConfigurationInspection name mysite
ftp timeout 3600
smtp timeout 3600
tcp timeout 3600

Details;http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm
Posted by at No comments:

ShortNotes for CCIE written exam - WCCP

Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real-time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms.


To coordinate with the routers and content engine. (cache engines).
Use UDP 2048 port between router and content engine.
Up to 32 contect engine can communicate with single router using WCCPv1. If more then content engine present, the one with lowest IP is elected as Lead Engine.
In WCCPv1, only 1 router can redirect traffic to a content engine or a group/cluster of engines.
In WCCPv2, multiple routers can redirect traffic multiple content engines and can be configured as WCCP service group.
WCCPv1 only support HTTP Traffic (TCP80)
WCCPv2 support several other protocol like FTP, Audio, telephony, provide MD5 security in WCCP communication by this cmd #ip wccp password (password)
Default version on routers is Version 2.
Can use with access-list too.
Posted by at No comments:

DSCP/IPP/PHP

IP Precedence
Decimal_Value Binary_Value Name
----------------------------------------------------
Precednece 0 000 Routine
Precedence 1 001 Priority
Precedence 2 010 Immediate
Precedence 3 011 Flash
Precedence 4 100 Flash Overide
Precedence 5 101 Critical
Precedence 6 110 Internetwork control
Precedence 7 111 Network Control

DSCP value and IP Precedence
DSCP_class DSCP_binary IPP_Binary
-----------------------------------------------------------------
CS0 000000(0-7) 000
CS1 001000(8-15) 001
CS2 010000(16-23) 010
CS3 011000(24-31) 011
CS4 100000(32-39) 100
CS5 101000(40-47)EF 101
CS6 110000(48-55) 110
CS7 111000(56-63) 111

(AF)PHP and DSCP (AFxy)
Class Low drop(Name/binary/Decimal) Medium drop(Name/binary/decimal) High Drop Name/binary/decimal)

1 AF11 / 001010 / 10 AF12 / 001100 / 12 AF13 / 001110 / 14
2 AF21 / 010010 / 18 AF22 / 010100 / 20 AF23 / 010110 / 22
3 AF31 / 011010 / 26 AF32 / 011100 / 28 AF33 / 011110 / 30
4 AF41 / 100010 / 34 AF42 / 100100 / 36 AF43 / 100110 / 38
AF to decimal 8x + 2y AF42 = 8x4 + 2x2 =36
Posted by at No comments:
Subscribe to: Posts (Atom)