June 24, 2016

XKCD Comics

June 22, 2016

Network Design and Architecture

Is CCDE Practical exam changing in 2016 ?

I read lots of comments on the blogs and forums about CCDE exam changes. People think that CCDE Practical exam is going to change by July 2016. Guys, be relax. CCDE Practical/Lab exam is not going to change , Cisco will not add any vendor specific SDN technologies into the CCDE Practical exam. But in […]

The post Is CCDE Practical exam changing in 2016 ? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by admin at June 22, 2016 10:50 AM

Networking Now (Juniper Blog)
XKCD Comics

June 21, 2016

My Etherealmind

Upgrade Your Data Centre To A Closet

I'm back to installing servers/network in closets. Do we need data centers anymore ?

The post Upgrade Your Data Centre To A Closet appeared first on EtherealMind.

by Greg Ferro at June 21, 2016 08:22 PM

June 20, 2016

My Etherealmind
XKCD Comics

June 17, 2016

XKCD Comics

June 16, 2016

Internetwork Expert Blog

CCIE Security v5 Blueprint Update Announced

Finally, Cisco has made the official announcement on the upcoming changes for CCIE Security Version 5. Both the written exam and the lab exam will be changes go live starting 31st of January 2017, which gives you the usual 6 months window to pass the Version 4 exam, before the change to Version 5 occurs.  As opposed to the old blueprint, there are major changes in both the technical content and exam delivery format.

As expected, the new exam topics are inline with Cisco’s current Security product line with pretty much nothing missing. Yes, you got that right! Also, as expected, Cisco is trying to push the same exam delivery model for all CCIE tracks.

Blueprint Technical Topic Changes

We now have a Unified Exam Blueprint,  covering topics for both the written and lab exam, similar to the change that was introduced with CCIE Data Center Version 2. The Blueprint for Version 5 is divided into 6 sections, with the last one being relevant only for the written exam:

  • Perimeter Security and Intrusion Prevention
  • Advanced Threat Protection and Content Security
  • Secure Connectivity and Segmentation
  • Identity Management, Information Exchange and Access Control
  • Infrastructure Security, Virtualization and Automation
  • Evolving Technologies*

*Written exam only

Topics removed from both written and lab exams:

  • EzVPN is out now, as expected, Cisco is moving forward to its AnyConnect (IPsec and SSL) Remote Access VPN Client
  • Legacy IPS, or Cisco’s old IPS technology, is out now as well

There are many topics added to the current blueprint. As we no longer have different blueprints for the written and the lab exams, it means that what’s in the blueprint can show up in both exams. Although based on the lab exam equipment changes, some technologies cannot be configured in the lab exam, you might still get questions about these technologies in the new Diagnostic section of the lab exam. This means that you should be prepared for the technologies as per the blueprint, for both exams.

New Version 5 Topics:

  • FirePOWER
  • ASA Clustering
  • NAT for IPv6
  • Cloud Web Security (CWS)
  • Email Security Appliance (ESA)
  • Content Security Management Appliance (SMA)
  • Advanced Malware Protection (AMP)
  • OpenDNS
  • Lancope
  • Virtual Security Gateway
  • TrustSEC with SGT and SXP
  • ACI, EVPN, VXLAN and NVGRE
  • ISE Personas with multimode deployment
  • MDM Integration with ISE
  • EAP-TEAP
  • pxGRID
  • Wireless concepts such as FlexCONNECT and ANCHOR
  • NetFLOW/IPFIX and eStreamer
  • APIC-EM Controller
  • RESTful API in scripting languages such as Python
  • Evolving Technologies (Cloud, SDN and IoT) being only in the written exam

Lab Exam Equipment Changes

As previously rumored, in Version 5 we have more equipment going virtual:

  • FirePOWER Management Center version 6.0.1 and/or 6.1
  • FirePOWER NGIPSv version 6.0.1
  • Cisco FirePOWER Threat Defense version 6.0.1
  • FireAMP Private Cloud
  • Cisco ASAv version 9.1
  • Cisco Application Policy Infrastructure Controller Enterprise Module version 1.2
  • Email Security Appliance (ESA) version 9.7.1
  • IOSv L2 version 15.2 (which is virtual IOS for layer 2)
  • IOSv L3 version 15.5(2)T (which is virtual IOS for layer 3)
  • Cisco CSR 1000v version 3.16.02S
  • Cisco Unified Communications Manager version 8.6(1)

Other virtual devices have been kept from previous blueprint, with a version change:

  • Cisco Identity Services Engine (ISE) version 2.1.0
  • Cisco Secure Access Control System (ACS) version 5.8.0.32
  • Cisco Web Security Appliance (WSA) version 9.2.0
  • Cisco Wireless Controller (WLC) version 8.0.133
  • Test PC is Microsoft Windows 7
  • Active Directory is running on Microsoft Windows Server 2008
  • AnyConnect version 4.2

As for physical devices we have the following devices in Version 5:

  • Cisco Catalyst Switch C3850-12S 16.2.1 version 16.2.1
  • Cisco Adaptive Security Appliance: 5512-X version 9.6.1
  • Cisco 2504 Wireless Controller: 2504 version 8.0.133.0
  • Cisco Aironet1602E version 15.3.3-JC
  • Cisco Unified IP Phone 7965 version 9.2(3)

FirePOWER is the major new addition, where we have both the FirePOWER NGIPS and the FirePOWER Threat Defense (unified code for ASA and FirePOWER Services) being added, alongside with FirePOWER Management Center as the management platform. FireAMP will also be present through the private cloud appliance, used for advanced malware protection through big data analytics, policies, detections, and protections stored locally on premises.

ASA Firewall is now present through the physical model of ASA 5512-X, and the virtual model of ASAv. Addition of APIC-EM, which supports both the physical and virtual ASA models, is clearly interesting, being a strong proof about Cisco’s vision moving forward, which is clearly the adoption of SDN technologies in the Enterprise market.

As expected, ESA has been finally added to the game, as even in version 4 it was supposed to be in the lab exam, but Cisco decided in the end to skip it.

Routers and switches are now virtualized through IOSv for Layer 2/Layer 3 and CSR 1000v, exception being the 3850 switch model which most probably is there for some TrustSEC features not supported by virtualization (MACsec, SGT, SXP).

Finally, I would assume that the only scope for the Cisco Unified Communications Manage being in a Security CCIE lab, is for the IP Phone to register, which means you need zero knowledge about this technology.

Lab Exam Format Changes

The new lab exam format follows up with Cisco’s current vision of exam delivery, aimed to properly test you on different set of skills.  The format is the same that was introduced with CCIE R&S Version 5, but of course with the Security technical topics instead of R&S ones.

The eight-hour lab format is now divided into three modules with order of the modules being fixed as follows:

  • Troubleshooting module
  • Diagnostic module
  • Configuration module

Troubleshooting Module

  • It’s 2 hours in length, you can optionally borrow 30 minutes from the configuration module.
  • By the name, it’s a troubleshooting section, where you’ll be given a certain number of tickets/incidents that you need to fix. There is no inter-dependency between tickets and you can fix tickets in whatever order you want. You have access to devices consoles in order to reconfigure the network and fix the problems.
  • This module is aimed to test your troubleshooting technical and methodology skills, and the ability to fix a problem from an unknown network topology within fixed allocated time.

Diagnostic Module

  • It’s 1 hour in length, and you cannot extend it
  • By the name, diagnostic, it’s still a troubleshooting section, but in a different format; you’ll be given a certain number of tickets/incidents that you need to fix, there is no inter-dependency between tickets and you can fix tickets in whatever order you want; challenge is that you have NO access to devices console, instead, for each ticket, you’re being given many inputs (e-mail threads, diagrams, logs, traffic captures), out of which you have to diagnose the problem and select the correct answer(s)
  • This module is aimed to test your ability to analyze and correlate multiple inputs related to a network problem within fixed allocated time, and without being given access to the devices you need to identity the root cause

Configuration Module

  • It’s 5 hours in length, but it can be 4.5 hours if you extended the troubleshooting module
  • By the name, it’s a configuration section, where you’ll be given a certain number of configuration tasks, with access to devices console to implement the given requirements; this is nothing else but what was in version 4 the actual exam itself, as it had only one module; there will be dependencies between tasks, some of them will be explicitly stated, some of them you’ll have to figure it, are implicit
  • This module is aimed to test your understanding of a solution design and architecture, of the traffic flows and dependencies within a network when multiple technologies are combined, ability to understand network requirements and translate it into working configuration within fixed allocated time

Passing the Lab Exam

In order to pass the lab exam, two conditions need to be satisfied:

  • Pass each module, score enough points in each module to meet the minimum cut score for the module
  • Total number of gained points must equal the minimum overall cut-score criteria

As each individual module tests you on different set of skills, though for the same technologies, the first criteria make sense, having to pass each module. This is to ensure that you have proved being an expert not only from the technology point of view, but also through the fact that you can make use that knowledge to fix various types of problems, being challenged in different ways. The minimum cut-score for each module is unknown, most probably because it could vary between different lab exam versions; for example you might get a more complex Diagnostic section with a lower minimum cut-score, or a less complex Diagnostic section with a higher minimum cut-score.

The second criteria also make sense, the minimum overall cut-score. This is probably to ensure that you don’t pass the exam if you passed each individual module with close to exactly the minimum module cut-score. Basically you can have a PASS for each module, but a FAIL for the exam. What this means, is that in order to have a PASS for the exam, you need to score more than the minimum cut-score for all modules, or only for some modules.

Although it might seem that you’re walking in blind, you go to the lab exam without knowing how many points are required to pass and in which of the three modules, this new lab exam format also has some benefits:

  • It gives flexibility, as you can score less points in one module because of being less prepared or less knowledgeable, and more points in other modules
  • It gives you a better focus, as you’re no longer chasing points in the exam, you’re now chasing to do your best in each module and prove your skills; this also implies a strategy change for the lab approach
  • By passing the current lab exam format, you’ve become an expert in the field, with certified skills required to implement Cisco’s technologies into today’s and tomorrow’s networks

In conclusion, it’s now clear that if you want to become CCIE Security Version 5 certified, you will need more FirePOWER.

by Cristian Matei, CCIEx2 #23684 at June 16, 2016 01:52 PM

My Etherealmind

June 15, 2016

My Etherealmind

Corporate to Consumer Devolution

Selling Enterprise IT is moving to bottom up instead of top down. Consumer first.

The post Corporate to Consumer Devolution appeared first on EtherealMind.

by Greg Ferro at June 15, 2016 01:37 PM

PacketLife.net Blog

Announcing NetBox

Several years ago, I lamented the few options available for a provider-grade IPAM solution. Specifically, I explained why building a custom application would be undesirable:

Could I create a custom IPAM solution with everything we need? Sure! The problem is that I'm a network engineer, not a programmer (a natural division of labor which, it seems, is mostly to blame for the lack of robust IPAM solutions available). Even if I had the time to undertake such a project, I have little interest in providing long-term maintenance of it.

But I suppose time makes fools of us all.

Nearly one year ago, I started developing an IPAM application as part of my day job. Leveraging my experience with the Django Python framework, I had a working proof-of-concept in just a week. Over the next several months, the project grew more mature and began to take on additional roles: data center infrastructure management, circuit tracking, and credentials storage. Today, the tool functions as our "source of truth" for many aspects of our infrastructure. We call it NetBox.

Continue reading · 16 comments

by Jeremy Stretch at June 15, 2016 01:16 PM

Networking Now (Juniper Blog)

June 2016 Microsoft Patch Tuesday Summary

Welcome to the June edition of Microsoft Patch Tuesday Summary. In this edition there are 16 updates; 5 are marked "Critical" and 11 are rated "Important".  A total of 36 CVE's (Common Vulnerability and Exposure) were fixed over 16 bulletins this month. One of the Critical update MS16-063 is a Internet Explorer (IE 9 to 11) patch. This single update resolves 7 CVE's (Common Vulnerability and Exposure) and is the highest profile bulletin of the month.

by adityac at June 15, 2016 03:20 AM

XKCD Comics

June 14, 2016

Network Design and Architecture

What is flow-based load balancing ?

Flow-based load balancing is used mostly in layer 2 networks, although in Layer 3 routing, packets can be load balanced per packets or per flow, flow-based load balancing is commonly used with the Local area network, datacenter and datacenter interconnect technologies. There are two important load balancing mechanisms in layer 2. Vlan-based load balancing and […]

The post What is flow-based load balancing ? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at June 14, 2016 06:25 PM

What does PE-CE mean in MPLS ?

What does PE-CE mean in the context of MPLS ? What is CE , P and PE device in MPLS and MPLS VPN ? These are foundational terms and definition in MPLS. MPLS is one of the most commonly used encapsulation mechanism in Service Provider networks and before studying more advanced mechanisms, this article is […]

The post What does PE-CE mean in MPLS ? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at June 14, 2016 05:39 PM

CCDE July 2016 Onsite Bootcamp in Las Vegas

I am glad to announce that next bootcamp of this year will be on July 2016 in Las Vegas , right after Cisco Live. Last day of Cisco Live will be the first day of my CCDE class. Extend your vacation 5 more days, inform your company by now, get approval and meet me there […]

The post CCDE July 2016 Onsite Bootcamp in Las Vegas appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at June 14, 2016 12:18 PM

June 13, 2016

Network Design and Architecture

More network design resources are available for subscribers !

As a reader of this blog, you can access all of the posts on the website for free. But if you don’t know yet, this website has a membership area. When you become a member you get access to 50+ hours network design videos which will help you in Cisco CCDE exam as well as real-life […]

The post More network design resources are available for subscribers ! appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at June 13, 2016 07:47 PM