I remember a time when I taught a class called CIT (Cisco Internetwork Troubleshooting) and there was a wonderful rule that made all the students sweat a little more and all the instructors give that old Dr.Claw laugh (From Inspector Gadget if you have no idea what I’m talking about).  Essentially it allowed the Instructor to do things that were really mean and evil and forced the students NOT to take the easy way out.  What was that rule?  When troubleshooting you may NOT use the command Show Running-Config or any variant of it.

Some of you are thinking….wow- I would be lost.  To be honest I would be as well depending on the technology and the situation I’m in.  So I won’t burden you with that rule.  However, I would like to share a command that does’t just give you the running configuration on the ASA, rather it gives you the “real” running configuration.  What am I talking about?  Well, simply put- show run all…

That’s right!  While many of you know this deep dark secret (it’s not really a secret)  other don’t.  So there ya go!  A little tipt to put in your tip jar.

So the next time the boss says, “Man I cant remember the syntax of the default group policy on our ASA,” you can quickly respond with…

(type..type..type…)

ciscoasa# sh run all group-policy

group-policy DfltGrpPolicy internal

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

ipv6-vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

<--- More --->

“It’s DfltGrpPolicy boss.  Anything else you need before I head to lunch?”

-Regards

Brandon Carroll – CCIE #23837

CCIE Candidates,

We get several emails asking if they can see a recorded version of a previous vLecture – well, we’re working on linking these to your IPexpert’s Member Area – but – in the meantime, links to previously completed (recorded vLectures) can be found on our Facebook page (and you don’t even need a Facebook account to get to them!) Visit THIS URL to see the list of vLecture topics and get access to their recordings.

Regards – Wayne

CCIE R&S, Voice, Wireless, Security, and Service Provider Candidates,

I’d like to thank all of the students and (potential CCIEs) who have attended our free online vLectures. It’s pretty amazing, but we’ve surpassed over 1,000 different students (confirmed email addresses) in the very short time we’ve been conducting them! I’m interested in hearing your thoughts on these free online vLectures and would like to get your feedback on what technical topics or items of discussion you would like us to add. We will be completing our 2010 (Q4) and Q1 2011 vLecture schedule soon – so please let me know what we’re missing or what you’d like to hear from our team of instructors! Lastly, we will be adding CCIE Wireless products (and also vLectures) to our website within the next week or two – so we are also taking recommendations on CCIE Wireless topics!

Thanks! – Wayne

We are pleased to announce that we were in attendance at the CCIE Voice Techtorial, given by Ben Ng (Cisco CCIE Voice Program Manager) at the Cisco Live Networkers Conference.  In that 8-hour session, we found out some interesting information regarding the CCIE Voice Written and Lab exam that we would like to pass along to you in no particular order.

There were no changes to the blueprint announced (thankfully!). All software versions will remain at 7.0 and are likely to remain at this release for a couple of years. It is worth pointing out that Cisco are well aware of the fact that there are several “bugs/undocumented features” that can be expected with any “.0” release. However candidates are expected to provide workarounds where applicable.

As most of you know, the Core Knowledge questions were removed some time in May 2010 and were replaced with troubleshooting tasks. The speaker repeatedly brought attention to the types of troubleshooting tasks candidates can expect. We have tried to summarize some of the most important points raised below.

• There is no dedicated troubleshooting section for the time being- troubleshooting is embedded into the configuration tasks of the exam. This is subject to change- in other words they may look at providing a dedicated troubleshooting section at some point in the future.
• Troubleshooting tasks account for approximately 15% of the points on the CCIE Voice Lab exam.
• Candidates will have to troubleshoot existing configuration which has built-in errors. More details of example errors are given below.
• Infrastructure tasks will for the most part be complete and will not be the responsibility of the candidate. However configuration might not be 100% correct!
• Going forward phones will be pre-configured into the UCM database. It was mentioned that SIP endpoints have not been tested thus far but candidates should expect SIP endpoints in the lab in the very near future. Interestingly it is the intention to have phones pre-registered with the correct firmware in advance- that means candidates will not be responsible for changing the firmware of the phone. This will come as a relief to many of you since this process is time-consuming.
• Troubleshooting tasks could potentially include in depth knowledge of the protocols used for establishing call setup. Detailed knowledge of the call flow involved in protocols such as SIP/MGCP/H323/SCCP/Q931/etc will be required in order to explain why certain calls to the “provider” are failing. It was mentioned that the candidate may not even have to fix the problem and instead create a text file with the relevant traces/debugs and a suitable explanation. A process not too dissimilar when you create a TAC case.
• Cisco will continuously modify the content of the lab and this includes changing the number of UCM and UCME sites. You can expect 3 UCM sites, 3 UCME sites or anything in between!
• Gatekeeper/CUBE/SIP Trunk tasks will be added to the lab at some point in the near future (if not already!). The PSTN provider in the lab may not necessarily be a T1/E1 connection but rather a H323 or SIP ITSP.
• Security related tasks (authentication and encryption of signaling and media) are not going to be tested since these tasks are too difficult to maintain and implement. However the CCIE Voice Written test which will be updated later this year will cover those topics.
• The Voice CCIE pass rate is currently between 20% and 25% but expect that figure to drop as the impending lab updates will no doubt increase the difficulty of the test.

Overall we were very pleased with the outcome of the discussion- no major updates for a couple of years will come as a huge relief to all training vendors. The IPexpert BLS and bootcamps have for more than a year now been covering SIP Phones, CUBE, multiple UCME sites and detailed knowledge of the protocols involved in call set up. The biggest takeaway from the session was undoubtedly troubleshooting is going to be the singular most important skill candidates will need to pass the lab – if you are going to pass the CCIE Voice going forward you need to focus on the why and not only the how as has been the case in the past.

Amy Ryan CCIE# 24677
Senior Technical Instructor
IPexpert Inc

CCIE Candidates,

I’m pleased to announce that we’ve updated our schedule to now include Q1 for 2011. You will find the dates and locations for our CCIE R&S, CCIE Voice, CCIE Security and CCIE Service Provider classes with new 2 locations added (Brussels, New Jersey / New York). We will be updating our website to include information pertaining to our CCIE Wireless products and classes within the month of July – Classes for CCIE Wireless will begin in Q1 2011 and will be announced when the website is updated. Please know that onsite classes are added on an “as requested basis. If you have a group of 6 or more potential students, you can contact a Training Advisor at sales@ipexpert.com, www.ipexpert.com/chat or +1.810.326.1444 to discuss onsite / group rates.

Regards, – Wayne

From: http://www.cisco.com/web/learning/le3/ccie/certified_ccies/ccie_emeritus.html

As the CCIE program continues to grow and develop Learning@Cisco recognizes that the individuals certified within the program are also growing and developing. To recognize the long term members of this program a new level of involvement has been created — CCIE Emeritus.

Who is Emeritus for?

Long term CCIE’s who have moved out of the “day to day” technical work but would like to stay involved in the program serving as ambassadors to current and future CCIE’s

Emeritus Guidelines:

Beginning August 1, 2010

At the 10 year anniversary Cisco will send a letter informing the CCIE of potential eligibility for Emeritus. CCIE’s desiring to join the Emeritus program must submit a completed application to the CCIE Emeritus team. Link to application will be provided in the letter.

Approval is subject to Cisco’s sole discretion. Emeritus status is granted for one year from the date of approval. Candidates must re-apply each year to maintain status.

Letters will be sent at the beginning of each month at minimum 30 days prior to anniversary/expiration date.

Emeritus Application Requirements:

• Completed application
• 10 years current and active status as CCIE
• $85.00 annual fee (subject to change year to year)
• Summary of program participation (detailed in application)
• Not affiliated with a Channel or Cisco Partner

Emeritus Benefits:

• Permission to use Emeritus logo — subject to Cisco requirements
• In situations where logo is not applicable the word Emeritus will follow CCIE number
• CCIE number is maintained but now classified as Emeritus status
• Candidate is recognized for technical proficiency and long term status within the program
• Continue to participate in discussion forums, blogs, groups, etc… as an Emeritus
• Opportunity to re-enter active CCIE status for up to ten years by taking any current written CCIE exam

Emeritus Rules:

CCIE Emeritus is a non-active status. As such the following rules apply —

• DOES NOT provide TAC support privileges or preference
• DOES NOT count towards Channel / Partner requirements
• DOES NOT apply towards maintaining status levels for Channel Partners
• DOES REQUIRE candidates to continue to report violations to the program when encountered

**As with the CCIE program itself The Learning@Cisco organization and Cisco reserves the right to terminate at any time without specific notice to the candidate. Individuals who are accepted as CCIE Emeritus must maintain all ethics and guidelines of the program.

Be sure to Check out our June Newsletter for news pertaining to our self-study CCIE preparation materials, our 2010 CCIE course schedule (Discounts for classes in Europe, Asia & Australia), Cisco Appreciate Discounts, CCIE Wireless preparation products(Details coming in July) and FREE resources.

Cisco has revised the CCIE Security Written Exam to match the Version 3.0 blueprint.  While the CCIE Security Version 3.0 Written exam contains more technology topics than the Practical exam, including Wireless Security, it is much more inline with the current technologies that are tested on in the CCIE Practical Exam, than the previous version of written exam.  The exam is schedule to be in effect beginning on August 12th, 2010.  Candidates taking the exam prior to that date can continue to study using the version 2.0 blueprint.

I would encourage students to use Cisco Documentation, Network Security Technology and Solutions, and our soon to be released CCIE Security Written Exam Bootcamp for your written preparation.  By using the Cisco Documentation you will be preparing for the CCIE Security Practical exam at the same time, as this is the only documentation available to CCIE candidates during the lab exam.

You can view the blueprint changes here.

-Cheers!

Brandon Carroll – CCIE #23837

Senior Technical Instructor – IPExpert

Mailto: bcarroll@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130

So you are labbing it up and are just about at the end of your rope with this Flexible Packet Matching. If you see one more task with FPM you are going to blow a gasket! Don’t worry, you’re not alone. Many students have difficulty with FPM. I think it’s because it just needs to be laid out the right way. So, never fear! IPexpert is here. Let me give you the “What you need to know” version of FPM.

Basically, FPM is a Stateless Packet Classification Mechanism used in Cisco IOS to deploy custom filters to various types of traffic. When I say stateless what you should be understanding from that is that FPM only looks at 1 packet at a time, and has no concept of a flow of traffic. This is packet by packet inspection. FPM goes beyond the static attributes that are traditionally seen when using Access Control Lists and enables filtering based on not only static attributes, but arbitrary bits or bytes at any offset within the entire packet payload or entire packet header, as well as the ability to specify multiple attributes in a packet. In other words, what makes FPM so flexible is that it can “see” a ton of stuff in the packet, which lets us have a lot more control than an ACL ever offered us.

Now FPM starts with a PHDF file, so lets break that down.

PHDF Files

FPM makes use of XML files called Protocol Header Description Files to map out the fields in various headers. You can think of this as a road map for FPM, whereas otherwise it would not know how to find the destination-port filed in a TCP header, the PHDF gives it a map to follow and locate the correct field. PHDF files are used any time you enter the “match field” command in an FPM class-map. The PHDF files are located at “system:/fpm/phdf/”. These files need to be loaded prior to configuring FPM.

load protocol system:/fpm/phdf/ip.phdf
load protocol system:/fpm/phdf/tcp.phdf
load protocol system:/fpm/phdf/udp.phdf

Once you have the PHDF loaded you can create a policy that utilizes what they can “match.”

Creating a Filter Policy

Creating a Filter Policy with FPM usually requires the following steps:

1. Load a PHDF (for protocol header field matching)
2. Define a class map and define the protocol stack chain (traffic class)
3. Define a service policy (traffic policy)
4. Apply the service policy to an interface

For FPM to match traffic you must be able to identify traffic. FPM identifies traffic using a class-map. There are two types of class-maps used in FPM, stack and access-control. When using a loaded PHDF, the class specification begins with a list of the protocol headers in the packet. This is done using a class-map command with type “stack”. The class-map type stack is not that difficult to understand. FPM, by default, only knows about the IP header. If you dont define the “stack” then you are stuck filtering on what’s in the IP header only. However, when you define the stack it gives you the ability to say, “First I want you to look at the IP header for this, then we go look at the TCP header for this.” Again, without a class-map type stack FPM cannot go look at information that is in any header other than the IP header.

class-map type stack [match-all | match-any]

match field   {eq | neq}  [mask ] next

-or-

match field   {gt | lt | range | regex } next

If no stack-type class map is specified, the default protocol stack is IP only and you will be limited in what FPM can be used to match.
Once the stack of protocols is defined, a class map of type “access-control” is defined for classifying packets.

class-map type access-control [match-all | match-any]

match field   { eq | neq }  [mask ]

-or-

match field   { gt | lt | range | regex }

The next step is to create a policy map that can be attached to one or more interfaces. This policy map will specify the name of the previously created class-map as well as the action of drop.

policy-map type access-control childPM

class DEST

drop

Policy-map type access-control parentPM

class SOURCE

service-policy childPM

The Final step is to apply the policy using the “service-policy” command.

interface FastEthernet0/0
 service-policy type access-control input parentPM

FPM Example 1: Blocking SSHv1

Begin by loading the PHDF’s:

load protocol system:/fpm/phdf/ip.phdf
load protocol system:/fpm/phdf/tcp.phdf

Next you’ll want to create the class-map type stack so that FPM knows where to look. In this case we are creating a class-map type-stack that tells FPM that we are going to start in the IP header by looking at the protocol field and making sure it is 0×06, which is TCP. Then we are telling FPM the next thing to look at is the TCP header. When looking at the TCP header we have instructed FPM to look into the destination port field and match on port 0×16 which is port 22, or SSH. The next IP is simply there to say, “OK, no more, lets get on with things now.”

class-map type stack match-all TCP
 match field IP protocol eq 0x6 next TCP
 match field TCP dest-port eq 0x16 next IP

Next we have told FPM with a class-map of type access-control, that is should start looking at the IP payload. Now this is where it’s a bit interesting. The IP Payload “is” where the TCP header starts. The TCP header is 20 bytes. So we are telling FPM to start looking at the packet 20 bytes AFTER the IP header. In other words, look at the data AFTER the TCP header. From there we want to look at 28 bytes for the string defined in the regular expression.

class-map type access-control match-all SSHv1
 match start IP payload-start offset 20 size 28 regex "^SSH\-1\.[0-9]+"
!

Next a policy-map is created that refers to the access-control class-map. Remember that without referencing the stack FPM will have no idea where to look.

policy-map type access-control SSHv1
 class SSHv1
   drop
   log

So next we tell FPM, look at the class TCP, which refers to the stack class. Once you know its TCP traffic on port 22, then I want you to look at the SSHv1 class, the access-control class for the regex string that identifies SSH version 1.

policy-map type access-control FPM
 class TCP
  service-policy SSHv1

Finally we wrap this up by applying the policy to the interface.

interface FastEthernet0/0
 service-policy type access-control input FPM

Ok, so now you’re thinking…”I got this! FPM is in the Bag.” Well, let’s see just how well you got this.

This next example actually has a problem. Can you spot what it is?

FPM example 2: Find the Problem

class-map type access-control match-all TELNET_BLOCK_CM

 match field IP dest-addr eq 192.168.30.1

 match field IP protocol eq 6

 match field TCP dest-p eq 23

policy-map type access-control TELNET_BLOCK_PM

 class TELNET_BLOCK_CM

  drop

int fa0/1

 service-policy type access-control input TELNET_BLOCK_PM

Did you spot the issue? If you said that we cannot use the “match field TCP dest-p eq 23 line in the class-map type access-control then you’re right and you deserve a pat on the back. Now the question is, Why? Well, the reason we cannot use the “match field TCP dest-p eq 23 line in the class-map type access-control is because we have not defined a class-map type stack that tells FPM, “Once you look at the IP header I want you to look at the TCP header.” The fix here would be to create a class-map type stack with the stack definition.

The Wrap-Up

Well, obviously there is more that can be done with FPM, however I’m confident that you now have a better understanding of how the stack-class works in allowing you to match traffic more granularly. If you’re feeling bold I challenge you to create an FPM policy that blocks telnet from a specific host, one that blocks all ICMP echo’s and one that blocks all fragmented packets. Each of these should be easy enough to test and will make you more proficient in configuring FPM when asked to do so on the CCIE Security Lab Exam.

-Happy Labbing!

Brandon Carroll – CCIE #23837

Senior Technical Instructor – IPExpert

Mailto: bcarroll@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130