Network technologies and trends


July 7, 2015  9:24 PM

What is VCP-NV – Series 2?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Auditing, Automation, DHCP, DNS, Firewalls, Load balancers, logging, Monitoring, NAT, Routers, Troubleshooting, VMware, VMware certifications, VPNs

When it comes for the VCP-NV certification preparations, one can certainly rely on VMware, as they have plenty of great resources. In may case I extensively used the following

VMware NSX 6.0 Documentation Center

NSX-V 6.0 Administrator Guide

VMware NSX-V 6.0 Design Guide

VCP-NV Exam Blueprint

VMware NSX for vSphere Introduction and Installation by Jason Nash

VMware NSX for vSphere: Network Services by Jason Nash

HOL-SDC-1403 – VMware NSX Introduction

VMware hands on Labs are really great asset one can have for the VCP-NV preparations, I would really like commend VMware efforts and commitment to provide these Hands on Lab that too for free. VMware offer four hours slot for HOL-SDC-1403 – VMware NSX Introduction hands on lab. These labs are designed well and helps anyone to understand the concepts well and also gives an opportunity to deploy various NSX components , try then and test them.

One greater asset I certainly recommend is the courses offered by PLURALSIGHTS by Jason Nash, I enjoyed watching Jason Nash and he really made things simpler and his videos are easy to understand. Since he comes from Cisco background he narrates the concepts, which any Network Engineer can understand.

I believe by using above mentioned resources once can easily pass the VPN-NV exam of course with dedication and hard work.

July 6, 2015  11:42 PM

What is VCP-NV – Series 1?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Auditing, Automation, DHCP, DNS, Firewalls, Load balancers, logging, Monitoring, NAT, Routers, Troubleshooting, VMware, VMware certifications, VPNs

Recently I tested my skills and knowledge on VMware Certifications, VMware Certified Professional – Network Virtualization also known as VCP-NV, which focuses on NSX products. The VCP-NV certification validates ability to install, configure, and administer NSX virtual networking implementations, regardless of the underlying physical architecture

VMware wants the successful candidates to demonstrate core-networking skills such as

 

  • Layer 2 switching and both static and dynamic Layer 3 routing Integration with virtual standard and distributed switches
  • Management of networking policies for performance, scalability, and ease of administration
  • Creating and administering NSX logical switches, Layer 2 bridges, routers, load balancers, VPNs, firewalls
  • Creating and administering Edge services, such as DHCP, DNS, and NAT, configuring and managing High Availability
  • Operational tasks, such as user permissions and roles, automation, monitoring, logging, auditing and compliance, backup and recovery
  • Troubleshooting an Enterprise-class NSX networking implementation

 

The exam consists of 120 questions and its one of the challenging exam I took especially when I am coming from Networking background. Any network engineer can certainly relate himself/ herself to the topics covered in VPC-NV exam. I recommend reading exam blueprint for further details.

VMware does offer VCP-NV certification exam to any one who holds a valid CCNA Data Center or CCNA Routing & Switching or CCNP Data Center or CCNP Routing & Switching certification or CCIE Data Center or CCIE Routing & Switching.

 

In my next post I will discuss about the approach I took and the materials I referred for the preparation of the VCP-NV exam.


July 2, 2015  9:28 AM

CCIE rescheduling policy is changed

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Cisco, Cisco certifications

Cisco changes their CCIE retake policy, the new email I received from Cisco Learning states

“For a limited time, we will waive the current lab retake policy so that all lab candidates will be able to retest for their lab exam with only a 30-day wait period. We’re offering this opportunity in response to your feedback about the challenges faced with longer wait times and difficulty getting a lab seat for retesting. We hear you and we understand your concerns, so we would like to take time to look at the data and evaluate our lab retake policy.”

Frequently Asked Questions About the CCIE Lab Exam Retake Policy Waiver

Q: Does this mean that between now and December 31, I can take the lab every 30 days?

A: Yes.

Q: Is the original policy back in place after December 31?

A: What happens after December 31 is dependent on the results of our research from now until that date.

Q: What does this mean if my current wait period is 90 days and I’m in the middle of the waiting period? Can I sign up now or do I have to continue to wait?

A: Yes, you can sign up now. You do not have to wait. The policy that is active at the time you schedule your lab will determine the time you have to wait. If you are beyond the 30-day wait period, you can book the earliest available seat you find.

Q: What if I’m already scheduled for a lab that I had to schedule out 90 days because of the original policy?

A: You will have the option to reschedule your lab attempt to an earlier date through the system.

I hope this will certainly create a huge demand for the seats as we can expect more and more unsuccessful candidates try to reappear for the lab after the 30 days gap.

Personally I feel the old approach was better and it gives ample time for unsuccessful candidates to prepare well and give their best try in the next attempt.


June 10, 2015  5:35 AM

Palo Alto releases PAN-OS 7.0

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
firewall, Gartner, Palo Alto Networks, Policy, Security

Palo Alto Networks one of the leaders in Gartner’s Magic Quadrant for next generation firewall released their new version of PAN-OS 7.0 trail.

Currently PAN-OS is available to Palo Alto customers who possess a valid support contract.

Some of the key new advancements include:

  • A new Automated Correlation Engine that identifies and prevents compromised hosts in an organization’s network by correlating patterns to pinpoint malicious activity.
  • WildFire threat intelligence enhancements that enable automated analysis of files against multiple versions of applications to identify malware specifically targeting legacy versions; the enhancements also classify malware by threat level, so teams can better prioritize their threat response for quick preventative action when needed.
  • A new high-capacity Network Processing Card for the PA-7050 that provides prevention at scale for data center environments with higher 10G port density and new 40G ports.
  • Advanced policy management capabilities within Panorama that make it even easier to create security policies and device configurations that can be easily and appropriately applied to many next-generation firewall instances, physical or virtual, reducing the chances for human error and gaps in the policy or configuration.

Looking forward to see the new PAN-OS and I hope they will incorporate their CNSE certification with new trail of PAN-OS.

 


May 30, 2015  8:05 AM

How to Configure uRPF in Strict Mode?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco IOS, Cisco security, IP address, router, Topology

In this post lets configure uRPF in Strict mode, I have created the below topology using Cisco VIRL, a great tool to test many things.

uRPF - Strict Mode Topology

As you can see this topology comprises of three routers, R1 & R2 are directly connected using interfaces G0/1 and configured with an IP address 192.168.1.1/24 and 192.168.1.2/24 respectively.Where as R1 and R3 are directly connected using interface G0/2 at R1 and G0/1 at R3.

uRPF Connectivity details

There are two loopbacks configured in R1 and R2 called loopback 0 with an IP 1.1.1.1/21 and 2.2.2.2/32

In R1 we will configure a static route for R2 as shown below

Static Router in R1

This ensures that R1 has a static route for 2.2.2.2 and can reach it successfully.

Screen Shot 2015-05-30 at 10.47.26 AM

What happens when an intruder sitting in R3 creates a loopback interface and assign the same IP address used in R2 i.e. 2.2.2.2/32 and tries to spoofs the R1 network. Exactly in this scenario uRPF comes into picture.

We need to ensure that CEF is enabled on the router as uRPF relies on CEF, so make sure it’s enabled by default if not then enable it using the following IOS command

IP CEF deiables

IP Cef Configuration

IP CEF summary

Lets configure uRPF in strict mode using the Cisco IOS command

ip verify unicast source reachable-via rx”

uRPF configuration on R1

Remember these two interfaces are directly connected towards Router R2 and R3.

Lets see whether uRPF is enabled on those interfaces using the Cisco IOS Command

show ip interface g 0/1 | include verify

rRPF verifcation on R1

Lets try to ping R1 G0/1 IP address from R2 sourcing loopback 0, we could see R2 can ping R1 G0/1 IP address 192.168.1.1

Ping to R1 from R2 l0

Now imagine there is an intruder trying to Ping R1 G0/2 interface IP 192.168.3.1 from R3 using the loopback 0 with an IP address 2.2.2.2/32, lets see what the router does and lets verify the

Screen Shot 2015-05-30 at 11.01.02 AM

 

The packets will make it to R1 but they will be dropped at R1 G0/2 interface, we can verify this as using an IOS command   “show ip interface (respective interface) | include verifyas shown below

uRPF Verification 

 This example demonstrates that by using uRPF in strict mode one ensure the packets received are verified and action is taken if it doesn’t matches the required criteria.


May 28, 2015  6:55 PM

CCNA Cloud and CCNP Cloud is here – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, CCNA, CCNP, Cisco certifications, Cloud infrastructure, Design, Internet of Things, Linux, Storage, UC, Virtualization, Windows

The next major addition of Cisco Certifications towards Cloud is CCNP Cloud. Like all Cisco Professional Certifications the prerequisite for CCNP Cloud is an associate certification, in this case its CCNA Cloud or even any CCIE Certification can do.

In order for some one to be a CCNP Cloud Certified one needs to pass fours exams mentioned below

  • 300-504 CLDINF Implementing and Troubleshooting the Cisco Cloud Infrastructure
  • 300-505 CLDDES Designing the Cisco Cloud
  • 300-506 CLDAUT Automating the Cisco Enterprise Cloud
  • 300-507 CLDDACI Building the Cisco Cloud with Application Centric Infrastructure

Cisco recommends following training

  • Implementing and Troubleshooting the Cisco Cloud Infrastructure (CLDINF)
  • Designing the Cisco Cloud (CLDDES)
  • Automating the Cisco Enterprise Cloud (CLDAUT)
  • Building the Cisco Cloud with Application Centric Infrastructure (CLDDACI)

By August 2015, Cisco will unveil more details about CCNP Cloud, currently the syllabus for CCNP cloud is not available. But its for sure, that like other Cisco Professional exams , the CCNP Cloud is a lab based training and certification program that is targeted at Cloud engineers, Cloud Administrators, Cloud Designers, and Architects working in Data Centers.

Its worth to wait and watch how Cisco Cloud certifications are accepted by the community, especially when Cisco is projecting a huge success of Internet of Things (IoT) and the cloud elements


May 28, 2015  5:02 AM

CCNA Cloud and CCNP Cloud Certifications are here – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, CCNA, CCNP, Cisco certifications, Design, Linux, Storage, UC, Virtualization, Windows

Cisco announced the release of new Associate and Professional level of Certifications targeting Cloud. Seems like Cisco wants Networking professional to be aware of SDN, ACI, Virtual Application Containers and SAN. These certifications are known as CCNA Cloud and CCNP Cloud.

In order to be a CCNA Cloud one needs to pass 210-451 CLDFND and 210-455 CLDADM exams, these exams tests you on Cisco Cloud solutions. One needs to be aware of DC fundamentals; basics of UC, UF, Storage, Virtualization, and Network Services; Hypervisors, Windows Server and Linux OS; remote connectivity / VPN solutions; documentation of design, system builds, configurations, and support procedures.

Cisco recommends following training for CCNA Cloud Certification.

Understanding Cisco Cloud Fundamentals (CLDFND)

Introducing Cisco Cloud Administration (CLDADM)

The CCNA Cloud, 210-451 CLDFND exam is yet another standard Cisco exam, which last for 90-minute with approximately 55-65 questions.

covers the following topics

1.0 Cloud Characteristics and Models 14%
2.0 Cloud Deployment 16%
3.0 Basic Knowledge of Cloud Compute 24%
4.0 Basic Knowledge of Cloud Networking 22%
5.0 Basic Knowledge of Cloud Storage 24%

More details awaited for 210-455 CLDADM exams, which are expected to by announced in June 2015.

This is a great step by Cisco and the new development certainly gives us clue one day there might be CCIE Cloud.


May 27, 2015  6:10 AM

What is uRPF – Strict Mode?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Networking

As discussed in previous post, uRPF (Unicast Reverse Path) works in two modes strict mode and loose mode, in this post lets discuss more about Strict mode

In Strict mode the router will perform following checks for an incoming traffic on particular interface.

  • The router checks whether there is a matching entry for the source in the routing table.
  • The router also checks whether same interface was used to reach the source as where it received.

strict mode

Once the router ensure that the incoming packet passed the both checks it will permit the or else it will discard it. The strict mode fits well when once wants to ensure that the traffic is entering the router from a single uplink rather than multiple links (asymmetric routing)

In the upcoming post lets configure uRPF (Unicast Reverse Path) in strict mode


May 26, 2015  4:52 AM

What Is uRPF?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
IP, IP address, IP packets, RFC, Routers, Routing Table

uRPF also known as Unicast Reverse Path Forwarding is a great security feature found in Cisco IOS Router and ASA Firewalls which is used to limit the malicious traffic on an enterprise network.

Generally when a router receive a unicast IP Packet, the routers cares only about the destination IP address of the packets to forward it. If the packet has to be routed, the router will check it’s routing able for the destination IP address and based on the information it has it will forward the packet to respective interface.

While forwarding a packet the router doesn’t care about the source IP address as its not important for forwarding decisions, this may give an opportunity for the possible attacker to spoof the source IP address so that router will process this packet.

To overcome this issue one can certainly make use of uRPF (Unicast Reverse Path) this little feature ensures that the router verifies the source IP address of the packets it receives and also that packet is reachable via it routing table. uRPF (Unicast Reverse Path) is used to prevent common spoofing attacks and follows RFC 2827 for ingress filtering.

uRPF (Unicast Reverse Path) works in two modes strict mode and loose mode, lets see the difference between then in upcoming post.


May 25, 2015  4:43 AM

What is Cisco IOS Software Checker?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, Cisco Nexus, firewall, IOS, Nexus, Security, Switches

We are all leaving in the age, where Network Security is given upmost importance; almost every major Organization does have a good Security team who are even responsible for looking at the vulnerabilities reported in their Network Security products.

Cisco does have a great tool called Cisco IOS Software Checker tool to search for Cisco Security Advisories that address specific Cisco IOS Software releases. One just simply need to either select the IOS Version he/she have in their environment

Screen Shot 2015-05-25 at 7.32.58 AM

Or simply copy and paste the show version command output

Screen Shot 2015-05-25 at 7.33.18 AM

Or even upload the text file, which contains the IOS Version details

Screen Shot 2015-05-25 at 7.33.26 AM

With three simple ways one can discover what the Security Advisories Cisco have to a particular IOS trail, and the corrective action they recommend. Certainly a very handy tool one can think of. Currently the Cisco IOS Software Checker does not support Cisco IOS XE Software, IOS XR Software, or interim builds of Cisco IOS Software. It will be great if Cisco create similar tool for Cisco ASA Firewalls and Cisco Nexus Switches platforms.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: