Monday, September 10, 2018

CCIE Security v5 Journey Expanded Blueprint- Post 2

This post will evolve over time as I work through the blueprint, I will list out the different topics as I go through them. Any topics that have free material available to learn the topic will be listed as well. There is a lot of free training available for those that can't afford to pay for premium content, like INEs AAP, which is kind of pricy, but in my opinion, its worth having for what it provides you access to. Lab Minutes also has paid content, the author there will release material to be public overtime. I have been through a small percentage of the material listed below. If I feel the material is valuable and worth it, I will list it here. Paid material is listed at the top, free or low cost material is lower. To keep track of any progress, I use NotePad++, I have copied the entire list below and I note next to it when I have watched it and completed the lab to test it out. There is a lot of content, so be patient when working the list. More content will likely be added later, but this is a pretty good start. I will also add Cisco Live content.

INE CCNP Security SENSS
Network Device Planes of Operation
Control Plane Policing :: Part 1
Control Plane Policing :: Part 2
Control Plane Protection
Routing Protocol Security
Management Plane Protection
Secure Device Management
SNMP Overview
SNMP Configuration :: Part 1
SNMP Configuration :: Part 2
NTP Overview :: Part 1
NTP Overview :: Part 2
NTP Configuration
Network Event Logging :: Part 1
Network Event Logging :: Part 2
Netflow :: Part 1
Netflow :: Part 2
AAA Overview :: Part 1
AAA Overview :: Part 2
IOS AAA Configuration :: Part 1
IOS AAA Configuration :: Part 2
ASA AAA Configuration :: Part 1
ASA AAA Configuration :: Part 2
ASA AAA Configuration :: Part 3
Port Security
DHCP Snooping Overview :: Part 1
DHCP Snooping Overview :: Part 2
DHCP Snooping Configuration
Dynamic ARP Inspection Overview
Dynamic ARP Inspection Configuration
IP Spoofing Overview
IP Spoofing Configuration
STP Security Toolkit
Storm Control
Private VLAN Overview
Private VLAN Configuration
NAT Overview :: Part 1
NAT Overview :: Part 2
Static NAT Configuration
Dynamic NAT Configuration
Policy NAT Configuration :: Part 1
Policy NAT Configuration :: Part 2
Zone Based Policy Firewall Overview
Two Zone Firewall Configuration :: Part 1
Two Zone Firewall Configuration :: Part 2
Two Zone with NAT Firewall Configuration
Three Zone Firewall Configuration :: Part 1
Three Zone Firewall Configuration :: Part 2
Zone Based Policy Firewall Tuning Overview
Zone Based Policy Firewall Tuning Configuration
Zone Based Policy Firewall Application Inspection :: Part 1
Zone Based Policy Firewall Application Inspection :: Part 2
Zone Based Policy Firewall Self Zone :: Part 1
Zone Based Policy Firewall Self Zone :: Part 2
ASA Firewall Overview :: Part 1
ASA Firewall Overview :: Part 2
ASA Firewall ACL Overview :: Part 1
ASA Firewall ACL Overview :: Part 2
ASA Firewall ACL Configuration :: Part 1
ASA Firewall ACL Configuration :: Part 2
ASA Firewall Object Groups
ASA Identity Firewall Overview :: Part 1
ASA Identity Firewall Overview :: Part 2
ASA Firewall Modular Policy Framework Overview :: Part 1
ASA Firewall Modular Policy Framework Overview :: Part 2
ASA Firewall MPF Advanced Inspections :: Part 1
ASA Firewall MPF Advanced Inspections :: Part 2
ASA Firewall MPF Dynamic Protocol Inspection :: Part 1
ASA Firewall MPF Dynamic Protocol Inspection :: Part 2
ASA Firewall MPF Application Inspection
ASA Firewall NAT Overview
ASA Firewall Object NAT Configuration
ASA Firewall Twice NAT Configuration :: Part 1
ASA Firewall Twice NAT Configuration :: Part 2

CCNP Security SITCS 207
Web Security Appliance
Web Security Overview 
What is WSA? :: Part 1 
What is WSA? :: Part 2 
WSA Models, Interface & Licensing 
Explicit Mode Overview 
PAC File Overview 
Transparent Mode 
WSA Identities 
WSA Acceptable Use Controls 
WSA Access Policies Overview :: Part 1 
WSA Access Policies Overview :: Part 2 
WSA Access Policies Configuration :: Part 1 
WSA Access Policies Configuration :: Part 2 
WSA Access Policies Configuration :: Part 3 
WSA Access Policies Configuration :: Part 4 
WSA Decryption Policies Overview :: Part 1 
WSA Decryption Policies Overview :: Part 2 
WSA Decryption Policies Configuration 
WSA Outbound Policies 
WSA Transparent Mode with WCCP :: Part 1 
WSA Transparent Mode with WCCP :: Part 2 
WSA User Authentication Overview 
WSA User Authentication Configuration :: Part 1 
WSA User Authentication Configuration :: Part 2 
WSA User Authentication Overview 
Cloud Web Security
CWS Overview 
CWS Licensing 
CWS Traffic Redirection :: Part 1 
CWS Traffic Redirection :: Part 2 
CWS Traffic Redirection :: Part 3 
CWS ASA Connector :: Part 1 
CWS ASA Connector :: Part 2 
CWS ISR G2 Connector :: Part 1 
CWS ISR G2 Connector :: Part 2 
CWS AnyConnect Connector 
ScanCenter Web Filtering Policy 
ASA-CX
ASA-CX Overview 
ASA-CX Models & Licensing 
ASA-CX Deployment Modes 
ASA-CX Policy Objects 
ASA-CX Access Policies 
ASA-CX Decryption Policies 
ASA-CX Identity Policies 
Total Duration: 2hrs 
Email Security
Email Security Overview 
ESA Overview 
ESA Modeling & Licensing

CCNP Security SISAS
AAA Framework
AAA Protocols 
RADIUS 
TACACS+ 
Cisco's Authentication Servers 
ISE Overview 
Authentication & Authorization
ISE Management & Authentication Policies 
MAC Authentication Bypass :: MAB 
MAB Layer 2 Authentication 
MAB Verification & Troubleshooting 
MAB & 802.1x Common Authorizations 
MAB & EAP Common Authorizations 
Authorization Verification Troubleshooting 
ACL Authorization :: dACL 
ACL Authorization :: Filter-ID ACL 
ACL Authorization :: Per-User ACL 
Extensible Authentication Protocol (EAP) 
Common EAP Tunneled Methods 
Common EAP Non-Tunneled Methods 
802.1x Configuration Steps 
Deploying EAP :: Part 1 
Deploying EAP :: Part 2 
EAP-FASTv1 Implementation 
ISE Identity Sources 
Authentication Against AD 
AD Integration 
ISE Application Server 
Identity Prefix & Suffix Strip 
User & Machine Authorization Policies :: Part 1 
User & Machine Authorization Policies :: Part 2 
Deploying EAP TLS 
Issuing Certificates on ISE 
Enrolling Users on a Certificate 
User Authentication using EAP TLS 
Importing CA Certificates 
EAP-FASTv2 Chaining :: Part 1 
EAP-FASTv2 Chaining :: Part 2 
EAP-FASTv2 Chaining :: Part 3 
Phased Deployment
Default Supplicant Network Access 
Total Duration: 
Layer 3 Authentication
Layer 3 Authentication 
Central Web Authentication Workflow 
Phase 1 Configuration 
Phase 2 Configuration 
ISE Guest Services 
Bring Your Own Device (BYOD) 
Wi-Fi Deployments 
Portal Policy 
EAP-FASTv2 Chaining :: Part 4 
EAP-FASTv2 Chaining :: Part 5 
Total Duration: 3hrs 
Endpoint Profiling
EndPoint Profiling 
Profiling Policies 
ISE Authorization Flow with Profiling 
Profiling Configuration :: Part 1 
Profiling Configuration :: Part 2 
Profiling Configuration :: Part 3 
Device Sensor Overview 
Posture Assessment
Posture Assessment Overview 
Posture Services 
Posture Configuration :: Part 1 
Posture Configuration :: Part 2 
Posture Configuration :: Part 3 
Posture Configuration :: Part 4 
Total Duration: 2hrs 
TrustSec
Layer 2 Encryption (MACSec) 
Security Group Tags (SGT) 
MACSec Implementation :: Part 1 
MACSec Implementation :: Part 2

CCNP Security SIMOS
VPN Concepts
Virtual Private Network (VPN) 
Secure VPN 
VPN Fundamentals 
Cryptographic Hashing Algorithms 
Digital Signatures 
Next-Generation Cryptography/Encryption 
VPN Logical Topologies 
IKEv1 IPsec VPN
IKEv1 Overview 
IKEv1 Phase 1 
IKEv1 Phase 2 
IKEv1 IPsec Control-Plane & Data-Plane 
IKEv1 IPsec VPN Types 
IOS Steps 
ASA Steps 
IKEv1 IPsec Crypto-Map Configuration :: Part 1 
IKEv1 IPsec Crypto-Map Configuration :: Part 2 
IKEv1 IPsec Verification & Troubleshooting :: Part 1 
IKEv1 IPsec Verification & Troubleshooting :: Part 2 
IKEv1 IPsec Verification & Troubleshooting :: Part 3 
IKEv1 IPsec Verification & Troubleshooting :: Part 4 
DPD & IKEv1 DPD 
IPsec Peer Availability Check 
IKEv1 DPD on IOS 
DPD Verification :: Part 1 
DPD Verification :: Part 2 
DPD Verification :: Part 3 
NAT-T Overview 
NAT-T Example 
GRE with IPsec Option A & B, IPsec Profile 
GRE with IPsec Example :: Part 1 
GRE with IPsec Example :: Part 2 
IPsec with SVTI :: Part 1 
IPsec with SVTI :: Part 2 
DMVPN Fundamentals 
NHRP & Important Messages 
DMVPN Routing, Spoke to Hub, & Spoke to Spoke 
DMVPN Phase 1 (Now obsolete) :: Part 1 
DMVPN Phase 1 (Now obsolete) :: Part 2 
DMVPN Phase 1 (Now obsolete) :: Part 3 
DMVPN Phase 2 ( Now Obsolete) :: Part 1 
DMVPN Phase 2 ( Now Obsolete) :: Part 2 
DMVPN Phase 3 Mandatory Configuration 
DMVPN & IKEv1sec, DMVPN & Crypto IPsec Profiles 
IPsec tunnels :: Part 1 
IPsec tunnels :: Part 2 
GETVPN 
GETVPN Control-Plane Phases 
GDOI TEK Rekey 
GETVPN Logical Topology, Routing, & Connectivity Requirements 
Total Duration: 10hrs 
IKEv2 IPsec VPN
IKEv2 Fundamentals 
IKEv2 Configuration Exchange 
FlexVPN & FlexVPN Building Blocks 
IKEv2 FlexVPN SVTI with PSK 
IKEv2 FlexVPN SVTI with PSK (Con't) 
Public Key Infrastructure Overview 
IKEv2 Flex VPN Configuration :: Part 1 
IKEv2 Flex VPN Configuration :: Part 2 
IKEv2 Flex VPN Configuration :: Part 3 
IKEv2 Flex VPN Configuration :: Part 4 
IKEv2 FlexVPN Hub-and-Spoke :: Part 1 
IKEv2 FlexVPN Hub-and-Spoke :: Part 2 
IKEv2 FlexVPN Hub-and-Spoke :: Part 3 
IKEv2 FlexVPN Authorization Policy 
FlexVPN Hub-Spoke Routing Challenge :: Part 1 
FlexVPN Hub-Spoke Routing Challenge :: Part 2 
FlexVPN Spoke-to Spoke Part 1 
FlexVPN Spoke-to Spoke Part 2 
FlexVPN Spoke-to Spoke Part 3 
SSL VPN
SSL VPN Fundamentals :: Part 1 
SSL VPN Fundamentals :: Part 2 
AnyConnect Fundamentals 
ASA VPN Building Blocks 
Cisco ASA VPN Building Blocks 
SSL VPN Tunnel-Group Matching 
ASA Clientless SSL VPN Overview 
ASA Configuration Steps 
ASA Verification & Troubleshooting Steps :: Part 1 
ASA Verification & Troubleshooting Steps :: Part 2 
ASA Verification & Troubleshooting Steps :: Part 3 
ASA Verification & Troubleshooting Steps :: Part 4 
ASA Clientless SSL VPN Certificate Authentication 
CA Options & ASA Configuration Steps :: Part 1 
CA Options & ASA Configuration Steps :: Part 2 
CA Options & ASA Configuration Steps :: Part 3 
ASA Clientless SSL VPN Multiple Authentication :: Part 1 
ASA Clientless SSL VPN Multiple Authentication :: Part 2 
SSL VPN ACL 
AnyConnect SSL VPN on ASA 
Additional ASA Verification & Troubleshooting 
SSL VPN Authorization Options 
ISE Configuration Steps :: Part 1 
ISE Configuration Steps :: Part 2 
ISE Configuration Steps :: Part 3 
AnyConnect IKEv2 IPsec :: Part 1 
AnyConnect IKEv2 IPsec :: Part 2

INE CCIE Security v4 Playlist
ASA Firewall Overview
ASA Basic Initialization
ASA IP Routing
ASA ACLs
ASA High Availability Overview
ASA Active/Standby Failover
ASA Multiple Context Mode Overview
ASA Multiple Context Mode Configuration
ASA Active/Active Failover
ASA Transparent Firewall
ASA Transparent Firewall & ARP Filtering
ASA Transparent Failover
ASA Modular Policy Framework (MPF) Overview
ASA Modular Policy Framework (MPF) Configuration
ASA Advanced TCP Inspection with MPF
ASA Advanced Application Inspection with MPF
ASA Quality of Service (QoS)
ASA Network Address Translation (NAT) Part  1
ASA Network Address Translation (NAT) Part  2
ASA Redundant Interfaces
Standard, Extended, Time Based, & Dynamic ACLs
Reflexive ACLs
TCP Intercept
Content Based Access Control (CBAC)
CBAC High Availability
Zone Based Firewall (ZBPF) Overview
ZBPF Configuration
Port to Application Mapping (PAM)
ZBPF Parameter Tuning
ZBPF Application Inspection
IOS Transparent Firewall
ZBPF Transparent Firewall
IPsec VPN Overview
IOS LAN-to-LAN IPsec Configuration
IPsec Verification & Troubleshooting
ASA LAN-to-LAN IPsec Configuration
IOS & ASA PKI Overview
IPsec & PKI Certificates
GRE over IPsec Tunnels
IPSec Profiles & Virtual Tunnel Interfaces (VTIs)
Easy VPN Overview
IOS Easy VPN Server
IOS Easy VPN Client
IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles
ASA Easy VPN Server
ASA Easy VPN Server & IOS Easy VPN Client
ASA Clientless & AnyConnect SSL VPN
DMVPN
IPS Overview, Promiscuous Mode & SPAN
IPS Promiscuous Mode & RSPAN
IPS Blocking Devices & Custom Signatures
IPS Inline Mode, VLAN Pairing
IPS Virtual Sensors and Signature Engines
WSA Overview & Initial Setup
WSA Management, Identities, & Access Policies
WSA HTTP Session Processing
WSA Transparent Mode & WCCP L2 Mode
WSA Transparent Mode & WCCP GRE Mode
WSA HTTPS Decryption Policies
AAA Overview, Local AAA, & Role Based CLI
IOS AAA with ACS
ASA AAA with ACS
ACS IOS Auth-Proxy Authentication
ACS IOS Auth-Proxy Authorization
ACS ASA Cut-Through Proxy
ISE Overview
802.1x, MAB, & EAP Overview
ISE MAB Authentication
ISE 802.1x & MAB Authorization
ISE 802.1x Authentication
ISE MACsec
ISE Central Web Authentication
ISE Profiling
Wireless Overview
Wireless Client Authentication
Wireless Central Web Authentication
Wireless Control Plane Security
ASA ACLs :: Part  1
ASA ACLs :: Part  2
ASA Object NAT :: Part  1
ASA Object NAT :: Part  2
ASA Twice NAT :: Part  1
ASA Twice NAT :: Part  2
ASA Twice NAT :: Part  3
IOS Static NAT :: Part  1
IOS Static NAT :: Part  2
IOS Dynamic & Stateful NAT
IOS NVI NAT
VRF Aware IPsec with CMAP
VRF Aware IPsec with GRE
IPsec High Availability :: Part  1
IPsec High Availability :: Part  2
IPsec Stateful High Avalability
GETVPN
GETVPN COOP
IKEv L2L on IOS & ASA :: Part 1
IKEv L2L on IOS & ASA :: Part  2
IKEv FlexVPN Client & Server :: Part  1
IKEv FlexVPN Client & Server :: Part  2
DTP & Port Security
VACL and PVLAN
DHCP Snooping &DAI & IPSG :: Part  1
DHCP Snooping &DAI & IPSG :: Part  2
IPv6 FHS From First Hop Security

Jason Maynard Cisco VoD YT Channel
FTD 6.1
Cisco Firepower Threat Defense: OVF Deployment
Cisco Firepower Threat Defense: Quick Installation NGFW
Cisco Firepower Threat Defense: Quick Installation Firepower Management Center
Cisco Firepower Threat Defense: Routed Mode Interface Configuration
Cisco Firepower Threat Defense: Passive Interface
Cisco Firepower Threat Defense: Routing Configuration
Cisco Firepower Threat Defense: NAT Configuration
Cisco Firepower Threat Defense: DHCP
Cisco Firepower Threat Defense: Platform Policy
Cisco Firepower Threat Defense: Enable Security Intelligence
Cisco Firepower Threat Defense: Access Policy Creation (Basic)
Cisco Firepower Threat Defense: Access Policy Creation (Application)
Cisco Firepower Threat Defense: Access Policy Creation (URL)
Cisco Firepower Threat Defense: Malware Policy
Cisco Firepower Threat Defense: Malware Analysis
Cisco Firepower Threat Defense: IPS Policy Balanced
Cisco Firepower Threat Defense: PortScan Detection
Cisco Firepower Threat Defense: DLP Sensitive Data
Cisco Firepower Threat Defense: Network Discovery
Cisco Firepower Threat Defense: NGIPS Tuning Firepower Recommendation
Cisco Firepower Threat Defense: SSL Decryption
Cisco Firepower Threat Defense: Fix MS Win2008R2 Certificate SHA1
Cisco Firepower Threat Defense: DNS Sinkholing
Cisco Firepower Threat Defense: DNS Sinkholing Packet Capture
Cisco Firepower Threat Defense: DNS Sinkhole Tweaking for the Analyst
Cisco Firepower Threat Defense: CloudLock Cloud Application Discovery Report (Shadow IT)
Cisco Firepower Threat Defense: Visibility into Cloud Applications Shadow IT
Cisco Firepower Threat Defense: Application Based Rate Limiting
Cisco Firepower Threat Defense: Prefilter Policy Fast Path
Cisco Firepower Threat Defense: Security Intelligence Feeds IPs, Domains, URLs
Cisco Firepower Threat Defense: RBAC (Predefined and Custom)
Cisco Firepower Threat Defense: Simple Syslog Alerting
Cisco Firepower Threat Defense: Value of Host Profiles
Cisco Firepower Threat Defense: NMAP Scanner Host Profile
Cisco Firepower Threat Defense: NMAP Scanner Scheduled Network Scan
Cisco Firepower Threat Defense: HA Active/Standby Failover Deployment
Cisco Firepower Threat Defense: Integrating Active Directory (User/Group Based Policies)
Cisco Firepower Threat Defense: Inline Set IPS (Routed Mode)
Cisco Firepower Threat Defense: Adding NICs to FTDv virtual NGFW
Cisco Firepower Threat Defense: Convert ASA to FTD
POV Cisco FTD and FMC (Spanned Deployment)
Firepower Threat Defense - Common Practice Guide Walkthrough
Cisco Firepower Threat Defense 6 2 2: Some differences when leveraging Firepower
FMC 101v2: A Network Administrators Perspective on Steroids

FTD 6.2
Cisco Firepower Threat Defense 6 2: Advanced Troubleshooting (Packet Tracer)
Firepower Threat Defense 6 2: Advanced Troubleshooting (Packet Capture)
Firepower Threat Defense 6 2: FlexConfig (EIGRP)
Firepower Threat Defense 6 2: FlexConfig (Netflow)
Firepower Threat Defense 6 2: Network Analysis Policy
Firepower Threat Defense 6 2: Correlation Policy
Firepower Threat Defense 6 2: Enabling Cisco Umbrella OpenDNS ( Forwarders/Destination NAT)
Firepower Threat Defense 6 2: Enabling Cisco Umbrella on FTD (All DNS and Dest NAT)
Firepower Threat Defense 6 2: Custom Workflow (Access Policy Hit Count)
Firepower Threat Defense 6 2: Change Management IP on Existing NGFW device
Firepower Threat Defense 6 2: NGIPS Custom Signature (FTP STOR CMD)
Firepower Threat Defense 6 2: Application Control (FTP Upload Block)
Firepower Threat Defense 6 2: FMC and Endpoint AMP (Integration)
Firepower Threat Defense 6 2 2: Firepower Threat Defense DHCP Server
Cisco Firepower Threat Defense 6.2.2: Site 2 Site VPN (Point to Point)
Cisco Firepower Threat Defense 6 2 2: RA VPN (AD and Device Self-Signed Cert)
Cisco Firepower Threat Defense 6 2 2: Analysis (Lookups - GEO, URLs, WHOIS)
Cisco Firepower Threat Defense 6 2 2 : Threat Intelligence Director (Flat File)
Cisco Firepower Threat Defense 6 2 2: Threat Intelligence Director (Hail A TAXII)
Cisco Firepower Threat Defense 6.2.2: Threatgrid Portal Integration
Cisco Firepower Threat Defense 6 2 2: SSL/TLS Decrypt
Cisco Firepower Threat Defense 6 2 2: Integrated Routing and Bridging
Cisco Firepower Threat Defense 6.2.3: Block QUIC force TCP TLS/SSL for Decryption
Firepower Threat Defense - Common Practice Guide Walkthrough
Cisco Firepower Threat Defense 6 2 2: Some differences when leveraging Firepower
FMC 101: A Network Administrators Perspective
FMC 101v2: A Network Administrators Perspective on Steroids

Cisco StealthWatch
Cisco StealthWatch: FlowCollector (Adding Firepower Threat Defense 6.2)
Cisco Stealthwatch: Analyzing Flows (Flow Filter)
Cisco Stealthwatch: Analyzing Flows (Quick View)
Cisco Stealthwatch: Analyzing Flows (Flow Analysis Scenarios - CI HOST)
Cisco Stealthwatch: Analyzing Flows (Flow Analysis Scenarios - Application Spikes)
Cisco Stealthwatch: Analyzing Flows (Flow Analysis Scenarios - Overloaded Interfaces)
Cisco Stealthwatch: Analyzing Flows (Flow Analysis Scenarios - Network Slow)
Cisco Stealthwatch: Analyzing Flows (Flow Analysis Scenarios - Malware)
Cisco Stealthwatch: Analyzing Flows (Flow Analysis Scenarios - Botnet)
Cisco Stealthwatch: Analyzing Flows (Flow Analysis Scenarios - Copyright Infringement)
Cisco Stealthwatch: Analyzing Flows (External Lookup)
Cisco Stealthwatch: Alarms (Responding)
Stealthwatch: The Whiteboard

Cisco Umbrella
Cisco Umbrella: Policy Build and Full Deployment Network
Cisco Umbrella: Policy Build and Full Deployment (Roaming Client)
Cisco Umbrella: Policy Build (Internal Network AD Integration)
Enabling Cisco Umbrella (OpenDNS) on FTD: (Forwarders and Destination NAT)
Enabling Cisco Umbrella OpenDNS on FTD: (All DNS Requests and Destination NAT)
Cisco Anyconnect: Intergration with Umbrella - User Experience
Cisco Anyconnect: Umbrella Integration Configuration
Cisco Umbrella: Intelligent Proxy (SSL Decrypt)

Cisco AnyConnect with Umbrella
Cisco Anyconnect: Integration with Umbrella - User Experience
Cisco Anyconnect: Remote Access VPN (AD Integration)
Cisco Anyconnect: Remote Access VPN (Dual Authentication)
Cisco Anyconnect: Umbrella Integration Configuration
Cisco Anyconnect: Remote Access PerAPP VPN with MDM Configuration
Cisco Anyconnect: iPhone with MDM perAPP VPN (User Experience)
Cisco Anyconnect: Corporate and Non-Corporate (User Experience)

Endpoint AMP
Cisco Endpoint AMP: Quick Start (Windows)
Cisco Endpoint AMP: Analysis (Zero Access)
Cisco Endpoint AMP: Analysis (WannaCry)
Cisco Endpoint AMP: Analysis (Low Prevalence)
Cisco Endpoint AMP: Analysis (Command Line Kovter)
Cisco Endpoint AMP: Analysis: Command Line Capture (Meterpreter)
Cisco Endpoint AMP: Analysis (SF-EICAR)

Lab Minutes ACS 5.4 - http://www.labminutes.com/video/sec/ACS
ACS 5.4 Patch Install and Remove
ACS 5.4 Backup Restore
ACS 5.4 Distributed Deployment
ACS 5.4 Object Export Add Update and Delete
ACS 5.4 Directory Attribute and User Custom Attribute
ACS 5.4 AnyConnect VPN RADIUS Authentication and Authorization
ACS 5.4 Wireless 802.1X PEAP EAP-TLS with Machine Authentication (Part 2)
ACS 5.4 Wireless 802.1X PEAP EAP-TLS with Machine Authentication (Part 1)
ACS 5.4 Wired 802.1X PEAP EAP-TLS with Machine Authentication (Part 2)
ACS 5.4 Wired 802.1X PEAP EAP-TLS with Machine Authentication (Part 1)
ACS 5.4 Wired and Wireless MAC Authentication Bypass (MAB) (Part 2)
ACS 5.4 Wired and Wireless MAC Authentication Bypass (MAB) (Part 1)
ACS 5.4 TACACS Device Admin on WLC
ACS 5.4 Shell Privilege and Command Authorization
ACS 5.4 TACACS Device Admin on Switch and ASA (Part 2)
ACS 5.4 TACACS Device Admin on Switch and ASA (Part 1)
ACS 5.4 LDAP Integration and Identity Store Sequences
ACS 5.4 AD Integration and Identity Store Sequences
ACS 5.4 Certificate Install
ACS 5.4 Introduction to Web Interface and Basic Configuration
ACS 5.3 VMware Installation

ISE 1.1 - 2.2
ISE 1.1 VMware Installation 
ISE 1.1 Node Registration with Self-Signed Certificate 
ISE 1.1 Node Registration with CA-Signed Certificate 
ISE 1.1 Introduction to Web Interface & Basic Configuration 
ISE 1.1 AD Integration and Identity Source Sequence 
ISE 1.1 LDAP Integration and Identity Source Sequence 
ISE 1.1 Device Admin RADIUS Authentication 
ISE 1.1 Device Admin RADIUS Authorization 
ISE 1.1 Backup Restore 
ISE 1.1 802.1X Switch & WLC Recommended Config 
ISE 1.1 Profiling, Probing, and MAC Authentication Bypass 
ISE 1.1 Wired 802.1X and Machine Authentication with PEAP 
ISE 1.1 Wireless 802.1X and Machine Authentication with PEAP 
ISE 1.1 Wired 802.1X and Machine Authentication with EAP-TLS 
ISE 1.1 Wireless 802.1X and Machine Authentication with EAP-TLS 
ISE 1.1 iPhone SCEP Certificate Install with EAP-TLS
ISE 1.1 User and Machine Authentication with EAP Chaining 
ISE 1.1 BYOD (Part 1) - Wired 802.1X Onboarding 
ISE 1.1 BYOD (Part 2) - Wireless Onboarding Single SSID 
ISE 1.1 BYOD (Part 3) - Wireless Onboarding Single SSID Testing 
ISE 1.1 BYOD (Part 4) - Wireless Onboarding Dual SSID 
ISE 1.1 BYOD (Part 5) - Wireless Onboarding Dual SSID Testing 
ISE 1.1 Posture Assessment with NAC Agent 
ISE 1.1 Posture Assessment with Web Agent 
ISE 1.1 Sponsor and Guest 
ISE 1.1 Patch Install and Rollback 
ISE 1.1 Security Group Access (SGA) with ASA 9.1 TrustSec 
Windows 2008 Enterprise CA SCEP Installation 
Windows 2008 CA SCEP Auto-Enrollment Options 
Windows 2008 CA User and Computer Certificate Auto-Enrollment 
Windows 2008 Wired and Wireless Setting Deployment with GPO 
Introduction to Cisco TrustSec 

ISE 1.2 VMware Sizing and Installation 
ISE 1.1 to 1.2 Upgrade 
ISE 1.2 New Features 
ISE 1.2 Distributed Deployment with Wildcard Certificate 
ISE 1.2 Endpoint Protection Service (EPS) 
ISE 1.2 AnyConnect VPN RADIUS Authentication and Authorization
ISE 1.2 Wireless 802.1X Authorization with FlexConnect 
ISE 1.2 BYOD Wireless Onboarding Single SSID 
ISE 1.2 BYOD MDM Integration 
ISE 1.2 Wireless Guest with HTML Customized Portal 

ISE 1.3 VMware Installation 
ISE 1.3 New Features and Web Interface Update 
ISE 1.3 Certificate and Node Registration 
ISE 1.3 Multi-Domain AD Integration 
ISE 1.3 Wired 802.1X with EAP-TLS and PEAP 
ISE 1.3 Wireless 802.1X with EAP-TLS and PEAP 
ISE 1.3 Internal Certificate Authority (CA) Setup 
ISE 1.3 BYOD Wired 802.1X Onboarding (Internal CA) 
ISE 1.3 BYOD Wireless Onboarding with Single SSID (Internal CA) 
ISE 1.3 BYOD Wireless Onboarding with Dual SSID (Internal CA) 
ISE 1.3 BYOD Certificate Renewal 
ISE 1.3 BYOD, MyDevices, and Blacklist Portals and Customization
ISE 1.3 BYOD Meraki MDM Integration 
ISE 1.3 Posture Assessment with AnyConnect Client 
ISE 1.3 Posture Assessment on AnyConnect VPN 
ISE 1.3 Guest Access with Hotspot 
ISE 1.3 Guest Access with Sponsor Guest
ISE 1.3 Guest Access with Self-Registration 
ISE 1.3 802.1X and CWA Chaining 
ISE 1.3 Guest Access Posture Compliance 
ISE 1.3 Guest Access Portal Customization
ISE 1.3 pxGrid
ISE 1.3 Administration Login 

ISE 2.0 New Features and Web Interface Update 
ISE 2.0 TACACS+ Device Admin with Shell Profile 
ISE 2.0 TACACS+ Device Admin with Command Authorization 
ISE 2.0 Migration Tool 
ISE 2.0 802.1X Switch Config with Identity Cotrol Policy 
ISE 2.0 3rd Party NAD (Aruba MAB 802.1X)
ISE 2.0 3rd Party NAD (Aruba Guest Posture BYOD) 
ISE 2.0 Location Based Authorization 
ISE 2.0 Certificate Provisioning Portal 
ISE 2.0 Internal CA SCEP with AnyConnect VPN 
ISE 2.0 Meraki MDM with Wireless 
ISE 2.0 Meraki MDM with AnyConnect VPN
ISE 2.0 TrustSec - Network Device Authentication 
ISE 2.0 TrustSec - SGT Assignment 
ISE 2.0 TrustSec - SGACL 
ISE 2.0 TrustSec - FlexVPN and ZBFW 
ISE 2.0 TrustSec - SXP 
ISE 2.0 TrustSec - MACsec 
ISE 2.0 pxGrid with ASA Firepower 
ISE 2.0 Adaptive Network Control (ANC) 

ISE 2.2 VMware Sizing and Installation 
ISE 2.2 License Install and Smart Licensing 
ISE 2.2 New Features and Intro to Web Interface
ISE 2.2 Certificate and Node Registration 
ISE 2.2 Device Profiling and Probing 
ISE 2.2 MAC Authentication Bypass (MAB) 
ISE 2.2 Wired 802.1X with EAP-TLS and PEAP 
ISE 2.2 Wireless 802.1X with EAP-TLS and PEAP 
ISE 2.2 User and Machine Authentication with EAP Chaining 
ISE 2.2 BYOD Wired 802.1X Onboarding 
ISE 2.2 BYOD Wireless Onboarding with Single SSID 
ISE 2.2 BYOD Wireless Onboarding with Dual SSID 
ISE 2.2 Posture Assessment with AnyConnect Client 
ISE 2.2 Posture Stealth Mode and 3rd Party NAD 
ISE 2.2 Guest Access with Hotspot 
ISE 2.2 Guest Access with Sponsored Guest 
ISE 2.2 Guest Access with Self-Registration 
ISE 2.2 Easy Wireless Setup 
ISE 2.2 PassiveID and pxGrid 
ISE 2.2 Easy Connect 
ISE 2.2 Threat Centric NAC (TCN) 
ISE 2.2 Anomalous Endpoint 
ISE 2.2 Backup Restore 
ISE 2.2 Distributed Deployment Upgrade 
ISE 2.2 Patch Install and Rollback 

Lab Minutes FlexVPN
FlexVPN Introduction to IKEv2
FlexVPN IKEv2 Basic Configuration (Part 1)
FlexVPN IKEv2 Basic Configuration (Part 2)
FlexVPN IKEv2 Basic Configuration (Part 3)
FlexVPN L2L with Pre-Shared Key (Part 1)
FlexVPN L2L with Pre-Shared Key (Part 2)
FlexVPN L2L with Pre-Shared Key (Part 3)
FlexVPN L2L with Certificate (Part 1)
FlexVPN L2L with Certificate (Part 2)
FlexVPN L2L with Certificate (Part 3)
FlexVPN L2L with Static and Dynamic Routing (Part 1)
FlexVPN L2L with Static and Dynamic Routing (Part 2)
FlexVPN L2L with Next Generation Encryption (Part 1)
FlexVPN L2L with Next Generation Encryption (Part 2)
FlexVPN L2L with Dynamic Virtual Tunnel Interface (DVTI) (Part 1)
FlexVPN L2L with Dynamic Virtual Tunnel Interface (DVTI) (Part 2)
FlexVPN L2L with Dynamic Virtual Tunnel Interface (DVTI) (Part 3)
FlexVPN L2L with dVTI and External PSK (Part 1)
FlexVPN L2L with dVTI and External PSK (Part 2)
FlexVPN L2L with Spoke-to-Spoke (Part 1)
FlexVPN L2L with Spoke-to-Spoke (Part 2)
FlexVPN Server with Router Client (Part 1)
FlexVPN Server with Router Client (Part 2)
FlexVPN Server with Router Client (Part 3)
FlexVPN Server with Router Client (Part 4)
FlexVPN Server with AnyConnect Client (Part 1)
FlexVPN Server with AnyConnect Client (Part 2)
FlexVPN Server with AnyConnect Client (Part 3)
FlexVPN Server with Windows IKEv2 Client (Part 1)
FlexVPN Server with Windows IKEv2 Client (Part 2)
FlexVPN Server with Local and External Authorization (Part 1)
FlexVPN Server with Local and External Authorization (Part 2)
FlexVPN Server with Local and External Authorization (Part 3)
FlexVPN with FVRF and IVRF (Part 1)
FlexVPN with FVRF and IVRF (Part 2)
FlexVPN with FVRF and IVRF (Part 3)
FlexVPN Redundancy with Dual Hub Dual Cloud (Part 1)
FlexVPN Redundancy with Dual Hub Dual Cloud (Part 2)
FlexVPN Redundancy with Dual Hub Dual Cloud (Part 3)
FlexVPN Redundancy with Dual Hub Single Cloud (Part 1)
FlexVPN Redundancy with Dual Hub Single Cloud (Part 2)
FlexVPN Redundancy with Dual Hub Single Cloud (Part 3)
FlexVPN Redundancy with Dual Hub Single Cloud (Part 4)

SSLVPN ClientlessSSL VPN ASA Certificate Install
SSL VPN Tunnel-Group Group-Policy (Part 1)
SSL VPN Tunnel-Group Group-Policy (Part 2)
SSL VPN Clientless Bookmark and Auto-Sign On
SSLVPN Clientless Plugins
SSLVPN Clientless Port Forwarding
SSLVPN Clientless Smart Tunnel (Part 1)
SSLVPN Clientless Smart Tunnel (Part 2)
SSLVPN Clientless Web ACL and Smart Tunnel Security (Part 1)
SSLVPN Clientless Web ACL and Smart Tunnel Security (Part 2)

SSLVPN AnyConnect
SSLVPN AnyConnect Client Basic (Part 1)
SSLVPN AnyConnect Client Basic (Part 2)
SSLVPN AnyConnect Client Address Assignment
SSLVPN AnyConnect Client External Group Policy
SSLVPN AnyConnect Client LDAP Attribute Mapping
SSLVPN AnyConnect Client Certificate and Double Authentication (Part 1)
SSLVPN AnyConnect Client Certificate and Double Authentication (Part 2)
SSLVPN AnyConnect Hostscan and Endpoint Assessment (Part 1)
SSLVPN AnyConnect Hostscan and Endpoint Assessment (Part 2)
SSLVPN AnyConnect Dynamic Access Policy (DAP) (Part 1)
SSLVPN AnyConnect Dynamic Access Policy (DAP) (Part 2)
SSLVPN AnyConnect Secure Mobility Basic
SSLVPN AnyConnect Secure Mobility Start Before Logon
SSLVPN AnyConnect Secure Mobility Miscellaneous Features (Part 1)
SSLVPN AnyConnect Secure Mobility Miscellaneous Features (Part 2)
SSLVPN AnyConnect Secure Mobility OnConnect Script
SSLVPN AnyConnect Secure Mobility SCEP Proxy (Part 1)
SSLVPN AnyConnect Secure Mobility SCEP Proxy (Part 2)
SSLVPN AnyConnect Secure Mobility Always-On VPN
SSLVPN AnyConnect Mobile and On-Demand VPN (Part 1)
SSLVPN AnyConnect Mobile and On-Demand VPN (Part 2)
SSLVPN AnyConnect Secure Mobility with IPSec IKEv2
SSLVPN AnyConnect Portal and Client Customization (Part 1)
SSLVPN AnyConnect Portal and Client Customization (Part 2)

FirePOWER and FTD
ASA FirePower Service Installation
ASA FirePower FireSight System Installation
ASA FirePower FireSight Basic Configuration (Part 1)
ASA FirePower FireSight Basic Configuration (Part 2)
ASA FirePower Device Management and License Install
ASA FirePower Software Update
ASA FirePower Introduction to FireSight Web Interface (Part 1)
ASA FirePower Introduction to FireSight Web Interface (Part 2)
ASA FirePower Network Discovery (Host and Application) (Part 1)
ASA FirePower Network Discovery (Host and Application) (Part 2)
ASA FirePower Network Discovery (Host and Application) (Part 3)
ASA FirePower Network Discovery (User with AD User Agent) (Part 1)
ASA FirePower Network Discovery (User with AD User Agent) (Part 2)
ASA FirePower Object and Access Control (Part 1)
ASA FirePower Object and Access Control (Part 2)
ASA FirePower Security Intelligence (Part 1)
ASA FirePower Security Intelligence (Part 2)
ASA FirePower Application Filtering (Part 1)
ASA FirePower Application Filtering (Part 2)
ASA FirePower Custom Application Detector (Part 1)
ASA FirePower Custom Application Detector (Part 2)
ASA FirePower URL and Web Category Filtering (Part 1)
ASA FirePower URL and Web Category Filtering (Part 2)
ASA FirePower File Type Filtering (Part 1)
ASA FirePower File Type Filtering (Part 2)
ASA FirePower Malware Detection (Part 1)
ASA FirePower Malware Detection (Part 2)
ASA FirePower IPS Basic (Part 1)
ASA FirePower IPS Basic (Part 2)
ASA FirePower IPS Advance (Part 1)
ASA FirePower IPS Advance (Part 2)
ASA FirePower IPS Custom Rule
ASA FirePower Compliance Enforcement with Whitelist
ASA FirePower Event Correlation and Remediation (Part 1)
ASA FirePower Event Correlation and Remediation (Part 2)
ASA FirePower Traffic Profile
ASA FirePower External User Authentication
ASA FirePower Backup and Restore
ASA Firepower 6.0 New Features and Web Interface Update (Part 1)
ASA Firepower 6.0 New Features and Web Interface Update (Part 2)
ASA Firepower 6.0 Multiple Domain Management (Part 1)
ASA Firepower 6.0 Multiple Domain Management (Part 2)
ASA Firepower 6.0 URL and DNS Security Intelligence (Part 1)
ASA Firepower 6.0 URL and DNS Security Intelligence (Part 2)
ASA Firepower 6.0 URL and DNS Security Intelligence (Part 3)
ASA Firepower 6.0 Passive and Active Authentication (Part 1)
ASA Firepower 6.0 Passive and Active Authentication (Part 2)
ASA Firepower 6.0 Passive and Active Authentication (Part 3)
ASA Firepower 6.0 SSL Decryption (Part 1)
ASA Firepower 6.0 SSL Decryption (Part 2)
ASA Firepower 6.0 Certificate-Based Access Control (Part 1)
ASA Firepower 6.0 Certificate-Based Access Control (Part 2)
FTD 6.1 ASA Device Installation (Part 1)
FTD 6.1 ASA Device Installation (Part 2)
FTD 6.1 Firepower Device Manager - Introduction (Part 1)
FTD 6.1 Firepower Device Manager - Introduction (Part 2)
FTD 6.1 Firepower Device Manager - Configuration (Part 1)
FTD 6.1 Firepower Device Manager - Configuration (Part 2)
FTD 6.1 Firepower Device Manager - Configuration (Part 3)
FTD 6.1 Firepower Device Manager - Configuration (Part 4)
FTD 6.1 NGFWv and NGIPSv Device Installation (Part 1)
FTD 6.1 NGFWv and NGIPSv Device Installation (Part 2)
FTD 6.1 Device Registration and Smart Licensing (Part 1)
FTD 6.1 Device Registration and Smart Licensing (Part 2)
FTD 6.1 FMC Web Interface and New Features (Part 1)
FTD 6.1 FMC Web Interface and New Features (Part 2)
FTD 6.1 NGIPSv IDS and IPS Modes (Part 1)
FTD 6.1 NGIPSv IDS and IPS Modes (Part 2)
FTD 6.1 NGIPSv IDS and IPS Modes (Part 3)
FTD 6.1 Firewall Mode and Interface Type (Part 1)
FTD 6.1 Firewall Mode and Interface Type (Part 2)
FTD 6.1 Firewall Mode and Interface Type (Part 3)
FTD 6.1 Basic Configuration (Part 1)
FTD 6.1 Basic Configuration (Part 2)
FTD 6.1 Basic Configuration (Part 3)
FTD 6.1 Routing - Static BGP (Part 1)
FTD 6.1 Routing - Static BGP (Part 2)
FTD 6.1 Routing - Static BGP (Part 3)
FTD 6.1 Routing - Static BGP (Part 4)
FTD 6.1 Routing - OSPF (Part 1)
FTD 6.1 Routing - OSPF (Part 2)
FTD 6.1 Routing - OSPF (Part 3)
FTD 6.1 IPv6 (Part 1)
FTD 6.1 IPv6 (Part 2)
FTD 6.1 IPv6 (Part 3)
FTD 6.1 IPv6 (Part 4)
FTD 6.1 Network Address Translation (NAT) (Part 1)
FTD 6.1 Network Address Translation (NAT) (Part 2)
FTD 6.1 Network Address Translation (NAT) (Part 3)
FTD 6.1 Network Address Translation (NAT) (Part 4)
FTD 6.1 Network Address Translation (NAT) (Part 5)
FTD 6.1 Prefilter Policy (Part 1)
FTD 6.1 Prefilter Policy (Part 2)
FTD 6.1 Prefilter Policy (Part 3)
FTD 6.1 Multicast and QoS (Part 1)
FTD 6.1 Multicast and QoS (Part 2)
FTD 6.1 Multicast and QoS (Part 3)
FTD 6.1 Safesearch and Youtube EDU (Part 1)
FTD 6.1 Safesearch and Youtube EDU (Part 2)
FTD 6.1 Inline SGT (Part 1)
FTD 6.1 Inline SGT (Part 2)
FTD 6.1 ISE Remediation (Part 1)
FTD 6.1 ISE Remediation (Part 2)
FTD 6.1 ISE Remediation (Part 3)
FTD 6.1 Site-to-Site VPN (Part 1)
FTD 6.1 Site-to-Site VPN (Part 2)
FTD 6.1 Site-to-Site VPN (Part 3)
FTD 6.1 High Availability (HA) (Part 1)
FTD 6.1 High Availability (HA) (Part 2)
FTD 6.1 Conversion to ASA

Sunday, September 9, 2018

My CCIE Security Journey - Post 1

Shortly after Cisco Live 2017 in Las Vegas, and a family vacation to Florida, I made the decision to renew my CCNA Security Certification. I received the certification back in January 2014 right after earning CCNP R&S. It took sometime to work through the blueprint, much of it I hadn't dealt with, ASA, SSLVPN, AnyConnect. I used INEs CCNA Security VoD to help bridge the gap.

I took a bunch of notes,  created a PowerPoint, a lab topology and a list of labs I wanted to demonstrate in the VoDs. I created a workbook and then recorded the series. It was a lot of fun and allowed me to cover content that I had always wanted to cover. Shortly after the series was finished, I was tasked my first AnyConnect project that integrated with ISE and certificates. Very complex compared to the CCNA level stuff I had covered.

I had an INE AAP and started to cover the CCNP Security SIMOS material. This really helped since it was what I had to deploy. It took a few months and I wrapped up the project. I was then tasked with a large switch upgrade, I figured being a CCIE in R&S, piece of cake! Not! The switch side was easy, it was the heavy integration of ISE for MAB and 802.1x authentication that made me hate life for a couple days. I found the INE CCNP Security SISAS ISE VoD, another score for me. 6 weeks later and a bit of scope creep, TACACS was requested over RADIUS, I was done with that project.

I figured it was time to hit the firewall and threat defense VoDs, well, an SP was a customer and so was a big bank, my focus shifted to SP stuff, L3VPN and L2VPN, BGP, DMVPN, OTV and QoS. This took the bulk of my time and Security was on the back burner. After several months these projects wrapped up and I was hot on the trail to CCIE SP, since I had a CCNP SP it made sense. Not long after that, I switched jobs to an SP, more DC than SP. Several months in and I have found myself on the frontlines with Security again.

Since it is a major focus for me and has been for a few months now, I made the decision to commit to it. This means a regimented approach had to happen. I had to be honest with myself and come up with a plan of attack to cover the material efficiently but not waste time on areas I was familiar with. DMVPN, IOS FW and parts of IPsec I can skip over for now. Focusing on areas I'm not familiar with first. ASA, GETVPN, FLEXVPN, SSLVPN, ISE, ACS, FTD, WSA, ESA and AMP. That's the majority of the blueprint right there. I've had exposure to ISE and FTD from previous jobs so I chose to leave them for later. As it sits now, ASA FW is my current focus, then VPNs, then circle back to IOS FW to round out the infrastructure stuff. Then AAA, ISE, ACS, WSA, ESA, FTD and AMP.

My goal in the next several posts is to layout a detailed expanded blueprint of what I am covering. From my research this far, there are several resources online, INE, Micronics, CiscoLive, LabMinutes and others that have produced material that covers the technologies. My goal is to work through the technologies and put together a holistic solution through RIT in the near future. This time, I won't be doing CCNP and then CCIE, I am going directly to CCIE, CCNP Security will come later. Feel free to join me in the journey, comment below and follow the blog, if your interested, follow me on social media, @rikerrob on Twitter.

Thanks for stopping by!
Rob Riker, CCIE #50693 (R&S) for now.

Thursday, May 10, 2018

Segment Routing with RSVP-Traffic Engineering Tunnels

In the previous post we discussed setting up SR.

SR is now running but its relying on IGP for the shortest path through the SP core. RSVP-TE is used to choose the best route and not necessarily the shortest path. We'll pretend that the connections between XR1 and XR2, XR3 and XR4 are 10 Gbps connections, the rest of the network is 40 Gbps. The goal is to build a TE tunnel that will take the path XR1 > XR5 > XR6 > XR2 > XR3 > XR7 > XR8 > XR4, which will effectively bypass the slower links. There will also be a backup path option that will be able to take the direct XR1 > XR2 > XR3 > XR4 path.

The first thing that needs to be done is enabling MPLS Traffic Engineering, RSVP and enabling OSPF to support MPLS TE for area 0.


XR1 - XR8
router ospf 1
 area 0
  mpls traffic-eng
 !
 mpls traffic-eng router-id Loopback0


XR1
rsvp
 interface GigabitEthernet0/0/0/0.112
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.115
  bandwidth 750000
 !
!
mpls traffic-eng
 interface GigabitEthernet0/0/0/0.112
 !
 interface GigabitEthernet0/0/0/0.115


XR2
rsvp
 interface GigabitEthernet0/0/0/0.112
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.123
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.126
  bandwidth 750000
 !
!
mpls traffic-eng
 interface GigabitEthernet0/0/0/0.112
 !
 interface GigabitEthernet0/0/0/0.123
 !
 interface GigabitEthernet0/0/0/0.126


XR3
rsvp
 interface GigabitEthernet0/0/0/0.123
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.134
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.137
  bandwidth 750000
 !
!
mpls traffic-eng
 interface GigabitEthernet0/0/0/0.123
 !
 interface GigabitEthernet0/0/0/0.134
 !
 interface GigabitEthernet0/0/0/0.137


XR4
rsvp
 interface GigabitEthernet0/0/0/0.134
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.148
  bandwidth 750000
 !
!
mpls traffic-eng
 interface GigabitEthernet0/0/0/0.134
 !
 interface GigabitEthernet0/0/0/0.148


XR5
rsvp
 interface GigabitEthernet0/0/0/0.115
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.156
  bandwidth 750000
 !
!
mpls traffic-eng
 interface GigabitEthernet0/0/0/0.115
 !
 interface GigabitEthernet0/0/0/0.156


XR6
rsvp
 interface GigabitEthernet0/0/0/0.126
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.156
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.167
  bandwidth 750000
 !
!
mpls traffic-eng
 !
 interface GigabitEthernet0/0/0/0.126
 !
 interface GigabitEthernet0/0/0/0.156
 !
 interface GigabitEthernet0/0/0/0.167


XR7
rsvp
 interface GigabitEthernet0/0/0/0.137
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.167
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.178
  bandwidth 750000
 !
!
mpls traffic-eng
 interface GigabitEthernet0/0/0/0.137
 !
 interface GigabitEthernet0/0/0/0.167
 !
 interface GigabitEthernet0/0/0/0.178


XR8
rsvp
 interface GigabitEthernet0/0/0/0.148
  bandwidth 750000
 !
 interface GigabitEthernet0/0/0/0.178
  bandwidth 750000
 !
!
mpls traffic-eng
 interface GigabitEthernet0/0/0/0.148
 !
 interface GigabitEthernet0/0/0/0.178

Now that we have built the TE topology, we can build the unidirectional tunnel from XR1 to XR4 via the path we laid out from above, there should also be another path option that follows the IGP path. The TE tunnel should advertise the TE tunnel as an IGP route.

XR1
explicit-path name SR_TE
 index 1 next-address strict ipv4 unicast 192.0.2.25
 index 2 next-address strict ipv4 unicast 192.0.2.26
 index 3 next-address strict ipv4 unicast 192.0.2.22
 index 4 next-address strict ipv4 unicast 192.0.2.23
 index 5 next-address strict ipv4 unicast 192.0.2.27
 index 6 next-address strict ipv4 unicast 192.0.2.28
 index 7 next-address strict ipv4 unicast 192.0.2.24
!
interface tunnel-te1
 ipv4 unnumbered Loopback0
 autoroute announce
 !
 destination 192.0.2.24
 path-option 5 explicit name SR_TE segment-routing
 path-option 10 segment-routing

RP/0/0/CPU0:XR1#sh ip int br
tunnel-te1                     192.0.2.21      Up              Up       default 

We can see that the tunnel was signaled successfully, if it wasn't the tunnel wouldn't not become up/up.

RP/0/0/CPU0:XR1#show mpls traffic-eng tunnels 1 
Thu May 10 22:34:29.600 UTC


Name: tunnel-te1  Destination: 192.0.2.24  Ifhandle:0x680 
  Signalled-Name: XR1_t1
  Status:
    Admin:    up Oper:   up   Path:  valid   Signalling: connected

    path option 5, (Segment-Routing) type explicit SR_TE (Basis for Setup)
      Protected-by PO index: none
    path option 10,  type segment-routing 
    G-PID: 0x0800 (derived from egress interface properties)
    Bandwidth Requested: 0 kbps  CT0
    Creation Time: Thu May 10 21:31:07 2018 (01:03:23 ago)
  Config Parameters:
    Bandwidth:        0 kbps (CT0) Priority:  7  7 Affinity: 0x0/0xffff
    Metric Type: TE (default)
    Path Selection:
      Tiebreaker: Min-fill (default)
      Protection: any (default)
    Hop-limit: disabled
    Cost-limit: disabled
    Path-invalidation timeout: 10000 msec (default), Action: Tear (default)
    AutoRoute:  enabled  LockDown: disabled   Policy class: not set
    Forward class: 0 (default)
    Forwarding-Adjacency: disabled
    Loadshare:          0 equal loadshares
    Auto-bw: disabled
    Path Protection: Not Enabled
    BFD Fast Detection: Disabled
    Reoptimization after affinity failure: Enabled
    SRLG discovery: Disabled
  History:
    Tunnel has been up for: 01:03:22 (since Thu May 10 21:31:08 UTC 2018)
    Current LSP:
      Uptime: 00:52:10 (since Thu May 10 21:42:20 UTC 2018)
    Prior LSP:
      ID: 2 Path Option: 10
      Removal Trigger: reoptimization completed

  Segment-Routing Path Info (OSPF 1 area 0)
    Segment0[Node]: 192.0.2.25, Label: 16025
    Segment1[Node]: 192.0.2.26, Label: 16026
    Segment2[Node]: 192.0.2.22, Label: 16022
    Segment3[Node]: 192.0.2.23, Label: 16023
    Segment4[Node]: 192.0.2.27, Label: 16027
    Segment5[Node]: 192.0.2.28, Label: 16028
    Segment6[Node]: 192.0.2.24, Label: 16024
Displayed 1 (of 1) heads, 0 (of 0) midpoints, 0 (of 0) tails
Displayed 1 up, 0 down, 0 recovering, 0 recovered heads

The MPLS TE tunnel output shows that SR is being used to build the tunnel, meaning that SR labels will be used and not RSVP-TE which would be labels starting at 24000 and above. The current path being leveraged is option 5, the explicit path, which is defined above. 

RP/0/0/CPU0:XR1#sh route 192.0.2.24
Thu May 10 22:35:40.545 UTC

Routing entry for 192.0.2.24/32
  Known via "ospf 1", distance 110, metric 4, labeled SR, type intra area
  Installed May 10 21:31:09.200 for 01:04:31
  Routing Descriptor Blocks
    192.0.2.24, from 192.0.2.24, via tunnel-te1
      Route metric is 4
  No advertising protos. 

Expanding the route to XR4's loopback, we see that the path now follows the TE1 path and is using a labeled SR path.

RP/0/0/CPU0:XR1#sh cef 192.0.2.24
Thu May 10 22:35:56.954 UTC
192.0.2.24/32, version 46, internal 0x1000001 0x1 (ptr 0xa12b3a74) [1], 0x0 (0xa127f584), 0xa20 (0xa150d320)
 Updated May 10 21:31:09.460
 Prefix Len 32, traffic index 0, precedence n/a, priority 3
   via 192.0.2.24/32, tunnel-te1, 7 dependencies, weight 0, class 0 [flags 0x0]
    path-idx 0 NHID 0x0 [0xa0f164f0 0xa0f16154]
    next hop 192.0.2.24/32
    local adjacency
     local label 24007      labels imposed {ImplNull}

Looking at the CEF table we can see label 24007 was allocated as adjacency SID since the TE1 tunnel is a new tunnel and therefore a label needs to be allocated.

RP/0/0/CPU0:XR1#sh mpls forwarding labels 24007
Thu May 10 22:50:33.174 UTC
Local  Outgoing    Prefix             Outgoing     Next Hop        Bytes       
Label  Label       or ID              Interface                    Switched    
------ ----------- ------------------ ------------ --------------- ------------

24007  Pop         192.0.2.24/32      tt1          192.0.2.24      0   

We can prove that by looking at what label 24007 was applied to, in this case it is the TE tunnel.

Once the tunnel is up, re-optimization maybe needed to take the explicit path.

RP/0/0/CPU0:XR1#mpls traffic-eng reoptimize 1

Now that we have a TE tunnel up and running, the routing table shows that traffic towards XR4 will take the TE tunnel. Let's do a trace from XR1 to XR4 and see what happens.

RP/0/0/CPU0:XR1#traceroute 192.0.2.24 source 192.0.2.21 num
Thu May 10 22:36:40.701 UTC

Type escape sequence to abort.
Tracing the route to 192.0.2.24

 1  100.64.115.15 [MPLS: Labels 16026/16022/16023/16027/16028/16024 Exp 0] 139 msec  119 msec  109 msec 
 2  100.64.156.16 [MPLS: Labels 16022/16023/16027/16028/16024 Exp 0] 119 msec  109 msec  149 msec 
 3  100.64.126.12 [MPLS: Labels 16023/16027/16028/16024 Exp 0] 119 msec  119 msec  119 msec 
 4  100.64.123.13 [MPLS: Labels 16027/16028/16024 Exp 0] 129 msec  109 msec  119 msec 
 5  100.64.137.17 [MPLS: Labels 16028/16024 Exp 0] 109 msec  119 msec  119 msec 
 6  100.64.178.18 [MPLS: Label 16024 Exp 0] 119 msec  129 msec  109 msec 
 7  100.64.148.14 109 msec  *  109 msec 

We can see that the TE tunnel is being taken with the 7 SR label stack. This stack is encoded as it hits the ingress PE.

R1#ping 192.0.2.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/86/90 ms

R1#traceroute 192.0.2.2 source lo0 num
Type escape sequence to abort.
Tracing the route to 192.0.2.2
VRF info: (vrf in name/id, vrf out name/id)
  1 100.64.101.11 19 msec 7 msec 10 msec
  2 100.64.115.15 [MPLS: Labels 16026/16022/16023/16027/16028/16024/24004 Exp 0] 131 msec 133 msec 126 msec
  3 100.64.156.16 [MPLS: Labels 16022/16023/16027/16028/16024/24004 Exp 0] 143 msec 134 msec 123 msec
  4 100.64.126.12 [MPLS: Labels 16023/16027/16028/16024/24004 Exp 0] 143 msec 129 msec 124 msec
  5 100.64.123.13 [MPLS: Labels 16027/16028/16024/24004 Exp 0] 140 msec 133 msec 126 msec
  6 100.64.137.17 [MPLS: Labels 16028/16024/24004 Exp 0] 141 msec 138 msec 124 msec
  7 100.64.178.18 [MPLS: Labels 16024/24004 Exp 0] 135 msec 132 msec 128 msec
  8 100.64.148.14 [MPLS: Label 24004 Exp 0] 130 msec 133 msec 127 msec
  9 100.64.103.2 133 msec *  136 msec


We see that in the above ping worked, but that doesn't showcase the SR TE output. The traceroute showcases the SR TE stack. The screenshot shows that the entire stack is encoded as traffic enters the SP core.

Thanks for stopping by!
Rob Riker, CCIE #50693

Wednesday, May 9, 2018

Segment Routing on IOS XR 6.0

Segment Routing or SR is another labeling mechanism on IOS XR. Most people are familiar with LDP or Label Distribution Protocol for allocating labels the PE and P loopbacks and their connected links. LDP requires the network to maintain a level state equal to the size of the network, if there are only a few routers making up the core, the level of state is pretty low.

The purpose of SR is to control the label allocation that the PE and P routers will use for their loopbacks and the transit links. The key difference between SR and LDP is SR allocates the label to the loopback interface. LDP does not do this, static labeling is supported but configuration intensive. SR uses a dedicated block of labels, the SRGB with a range of 16000-23999.

LDP is deployed along side of IGP but as a different process, IGP needs to be converged before LDP converges or micro loops can occur.

SR is configured under the IGP process for both OSPF and IS-IS. The SR labels are propagated inside of the IS-IS TLVs and OSPF Opaque LSAs.

There are 2 different label allocations, the loopback of the P or PE router and the connected links between the P and PE routers.

The loopback label is called the "Prefix SID" or Prefix Segment Identifier.
The transit label is called the "Adjacency SID" or Adjacency Segment Identifier.

The Prefix SID comes from the 16000-23999 label range, the SRGB.
The Adjacency SID comes from the dynamic label range 24000-1048575.

The only thing that changes in the MPLS L3VPN deployment here is SR is the labeling technique, VRFs, MP-BGP, VRF Aware BGP PE-CE and IGP routing are still needed. The above IOS routers, R1-R4 R1 is ASN 101, R2 is ASN 102 and so forth. The ASN in the core is ASN1. XR6 is a RR to the PE routers.

The configuration and verification outputs are below.

XR1
router ospf 1
 area 0
  segment-routing forwarding mpls
  segment-routing mpls
  interface Loopback0
   prefix-sid absolute 16021
  !
  interface GigabitEthernet0/0/0/0.112
  !
  interface GigabitEthernet0/0/0/0.115

XR2
router ospf 1
 area 0
  segment-routing forwarding mpls
  segment-routing mpls
  interface Loopback0
   prefix-sid absolute 16022
  !
  interface GigabitEthernet0/0/0/0.112
  !
  interface GigabitEthernet0/0/0/0.123
  !
  interface GigabitEthernet0/0/0/0.126

XR3
router ospf 1
 area 0
  segment-routing forwarding mpls
  segment-routing mpls
  interface Loopback0
   prefix-sid absolute 16023
  !
  interface GigabitEthernet0/0/0/0.123
  !
  interface GigabitEthernet0/0/0/0.134
  !
  interface GigabitEthernet0/0/0/0.137

XR4
router ospf 1
 area 0
  segment-routing forwarding mpls
  segment-routing mpls
  interface Loopback0
   prefix-sid absolute 16024
  !
  interface GigabitEthernet0/0/0/0.134
  !
  interface GigabitEthernet0/0/0/0.148

XR5
router ospf 1
 area 0
  segment-routing forwarding mpls
  segment-routing mpls
  interface Loopback0
   prefix-sid absolute 16025
  !
  interface GigabitEthernet0/0/0/0.115
  !
  interface GigabitEthernet0/0/0/0.156

XR6
router ospf 1
 area 0
  segment-routing forwarding mpls
  segment-routing mpls
  interface Loopback0
   prefix-sid absolute 16026
  !
  interface GigabitEthernet0/0/0/0.126
  !
  interface GigabitEthernet0/0/0/0.156
  !
  interface GigabitEthernet0/0/0/0.167

XR7
router ospf 1
 area 0
  segment-routing forwarding mpls
  segment-routing mpls
  interface Loopback0
   prefix-sid absolute 16027
  !
  interface GigabitEthernet0/0/0/0.137
  !
  interface GigabitEthernet0/0/0/0.167
  !
  interface GigabitEthernet0/0/0/0.178

XR8
router ospf 1
 area 0
  segment-routing forwarding mpls
  segment-routing mpls
  interface Loopback0
   prefix-sid index 28
  !
  interface GigabitEthernet0/0/0/0.148
  !
  interface GigabitEthernet0/0/0/0.178

XR8 is running 5.3 XR code, so the "absolute" option isn't supported, Index and absolute do the same thing, index just calls the label value that will get added to 16000 where absolute defines it completely.


RP/0/0/CPU0:XR1#sh mpls interfaces  detail 
Wed May  9 19:17:00.751 UTC
Interface GigabitEthernet0/0/0/0.112:
        LDP labelling not enabled
        LSP labelling not enabled
        MPLS enabled
Interface GigabitEthernet0/0/0/0.115:
        LDP labelling not enabled
        LSP labelling not enabled

        MPLS enabled

RP/0/0/CPU0:XR2#show mpls interfaces detail 
Wed May  9 19:18:20.711 UTC
Interface GigabitEthernet0/0/0/0.112:
        LDP labelling not enabled
        LSP labelling not enabled
        MPLS enabled
Interface GigabitEthernet0/0/0/0.123:
        LDP labelling not enabled
        LSP labelling not enabled
        MPLS enabled
Interface GigabitEthernet0/0/0/0.126:
        LDP labelling not enabled
        LSP labelling not enabled

        MPLS enabled

As you can see, LDP is not being used here, Segment Routing is.

R1 and R2 have now peered with the SP and advertised their loopbacks into BGP.

R1#sh ip route bgp | b  Gateway
Gateway of last resort is not set

      192.0.2.0/32 is subnetted, 2 subnets

B        192.0.2.2 [20/0] via 100.64.101.11, 10:18:02


R2#sh ip route bgp | b  Gateway
Gateway of last resort is not set

      192.0.2.0/32 is subnetted, 2 subnets
B        192.0.2.1 [20/0] via 100.64.103.14, 10:18:48

Now we'll do some trace routes to see how Segment Routing will look different than what LDP will look. NOTE - BGP VPNv4 is still used to allocate labels for customer learned routes, these labels are pulled from the global dynamic label pool.

R2#traceroute 192.0.2.1 source loopback 0 numeric 
Type escape sequence to abort.
Tracing the route to 192.0.2.1
VRF info: (vrf in name/id, vrf out name/id)
  1 100.64.103.14 23 msec 14 msec 8 msec
  2 100.64.134.13 [MPLS: Labels 16021/24004 Exp 0] 107 msec 92 msec 91 msec
  3 100.64.123.12 [MPLS: Labels 16021/24004 Exp 0] 99 msec 97 msec 100 msec
  4 100.64.112.11 [MPLS: Label 24004 Exp 0] 99 msec 85 msec 88 msec
  5 100.64.101.1 89 msec *  110 msec

The 16021/24004 is the 2 label stack we would normally see with LDP, the top label, the transport label, 16021 wouldn't be in the range of 16000-23999.

In this case, the label 16021 isn't LDP allocating labels arbitrarily, this label value is configured on XR1 on the loopback interface and propagated to the other P/PE routers inside of OSPF Opaque LSAs. All of the routers in the core know that to reach XR1 via a labeled path, they must use label 16021 to get there.

We'll take the next several outputs and examine them to breakdown how we the label values above were allocated and understand where they fit in.

Let's see what routes we received in from XR1 via the RR of XR6.

RP/0/0/CPU0:XR4#sh bgp vpnv4 unicast neighbors 192.0.2.26 routes | b Network
Wed May  9 19:31:25.218 UTC
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf A)
*>i192.0.2.1/32       192.0.2.21               0    100      0 101 i

Processed 1 prefixes, 1 paths

We can see that we learned 192.0.2.1 from 192.0.2.21, let's expand that to see what label value VPNv4 applied.

RP/0/0/CPU0:XR4#sh bgp vrf A 192.0.2.1/32
Wed May  9 19:25:24.652 UTC
BGP routing table entry for 192.0.2.1/32, Route Distinguisher: 1:1
Versions:
  Process           bRIB/RIB  SendTblVer
  Speaker                  4           4
Last Modified: May  9 09:00:02.407 for 10:25:22
Paths: (1 available, best #1)
  Advertised to CE peers (in unique update groups):
    100.64.103.2    
  Path #1: Received by speaker 0
  Advertised to CE peers (in unique update groups):
    100.64.103.2    
  101
    192.0.2.21 (metric 4) from 192.0.2.26 (192.0.2.21)
      Received Label 24004
      Origin IGP, metric 0, localpref 100, valid, internal, best, group-best, import-candidate, imported
      Received Path ID 0, Local Path ID 1, version 4
      Extended community: RT:1:1 
      Originator: 192.0.2.21, Cluster list: 192.0.2.26
      Source AFI: VPNv4 Unicast, Source VRF: A, Source Route Distinguisher: 1:1

We see that label 24004 was allocated by VPNv4 for the 192.0.2.1/32 route advertised by XR1. We have the VPN label, now we need to know what to configure as the transport label.

RP/0/0/CPU0:XR4#sh route 192.0.2.21
Wed May  9 19:34:21.986 UTC

Routing entry for 192.0.2.21/32
  Known via "ospf 1", distance 110, metric 4, labeled SR, type intra area
  Installed May  8 22:23:31.979 for 21:10:50
  Routing Descriptor Blocks
    100.64.134.13, from 192.0.2.21, via GigabitEthernet0/0/0/0.134
      Route metric is 4

  No advertising protos.

We see that the route was learned via OSPF intra area propagation, more importantly, labeled SR is propagated as well.

RP/0/0/CPU0:XR4#show cef 192.0.2.21
Wed May  9 19:36:06.659 UTC
192.0.2.21/32, version 16, internal 0x1000001 0x81 (ptr 0xa12b3a74) [1], 0x0 (0xa12994f4), 0xa28 (0xa150d140)
 Updated May  8 22:23:32.049 
 local adjacency 100.64.134.13
 Prefix Len 32, traffic index 0, precedence n/a, priority 1
   via 100.64.134.13/32, GigabitEthernet0/0/0/0.134, 9 dependencies, weight 0, class 0 [flags 0x0]
    path-idx 0 NHID 0x0 [0xa0f592a4 0x0]
    next hop 100.64.134.13/32
    local adjacency
     local label 16021      labels imposed {16021}

Checking the CEF table we can see that both the imposed label and the local label are both 16021. Imposed means that 16021 will be used to forward these packets through the core.

RP/0/0/CPU0:XR4#show mpls forwarding labels 16021        
Wed May  9 19:38:12.840 UTC
Local  Outgoing    Prefix             Outgoing     Next Hop        Bytes       
Label  Label       or ID              Interface                    Switched    
------ ----------- ------------------ ------------ --------------- ------------
16021  16021       SR Pfx (idx 21)    Gi0/0/0/0.134 100.64.134.13   5628  

This is a prefix SID that is applied to XR1's loopback. It is both the local label and the outgoing label.

RP/0/0/CPU0:XR4#sh ospf database opaque-area adv-router 192.0.2.21
Wed May  9 19:39:44.484 UTC


            OSPF Router with ID (192.0.2.24) (Process ID 1)

                Type-10 Opaque Link Area Link States (Area 0)

  LS age: 926
  Options: (No TOS-capability, DC)
  LS Type: Opaque Area Link
  Link State ID: 4.0.0.0
  Opaque Type: 4
  Opaque ID: 0
  Advertising Router: 192.0.2.21
  LS Seq Number: 80000027
  Checksum: 0x8ceb
  Length: 52

    Router Information TLV: Length: 4
    Capabilities:
      Graceful Restart Helper Capable
      Stub Router Capable
      All capability bits: 0x60000000

    Segment Routing Algorithm TLV: Length: 1
      Algorithm: 0

    Segment Routing Range TLV: Length: 12
      Range Size: 8000

        SID sub-TLV: Length 3
         Label: 16000

  LS age: 664
  Options: (No TOS-capability, DC)
  LS Type: Opaque Area Link
  Link State ID: 7.0.0.1
  Opaque Type: 7
  Opaque ID: 1
  Advertising Router: 192.0.2.21
  LS Seq Number: 80000027
  Checksum: 0xc5ee
  Length: 44

    Extended Prefix TLV: Length: 20
      Route-type: 1
      AF        : 0
      Flags     : 0x40
      Prefix    : 192.0.2.21/32

      SID sub-TLV: Length: 8
        Flags     : 0x0
        MTID      : 0
        Algo      : 0
        SID Index : 21

Looking at the bolded parts of the OSPF Opaque LSA, we see that the Prefix SID begins at 16000 and carries for 8000 which ranges from 16000 - 23999. Below that we see the Prefix of 192.0.2.21 with an index of 21. 16000 plus 21 gets us 16021. This boils down that 16021 will be the transport label for every SP core router, XR2 through XR8 to reach XR1.